New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reverse option of neverBuiltDependencies #4001
Comments
This doesn't make it completely secure to be honest. Let's say you add fsevents to |
Yes. I agree, this case is interesting and completely makes it unsafe. @bentobox19 @kumavis @v-gjy @EtDu how do you think? If I allowed Maybe we also should limit the install source (only install from approved registry/git URL/HTTPs URL)? |
🤔 Thanks to https://github.com/DimensionDev/Maskbook/pull/4867/files I think this + neverBuiltDependencies can solve the problem. |
close #4001 Co-authored-by: Jack Works <jackworks@protonmail.com>
close #4001 Co-authored-by: Jack Works <jackworks@protonmail.com>
Having a new thought on this problem, what about we limit the package name like this? "onlyBuiltDependencies": ["npm:fsevents"] It will only run the build command if the package is made "fsevents" and it is installed directly from npm in form of
|
Describe the user story
There should be an
onlyBuiltDependencies
option. Only allows some scripts makes the install safer.Describe the solution you'd like
Add an
onlyBuiltDependencies
likeneverBuiltDependencies
The text was updated successfully, but these errors were encountered: