Re: [tim-janik/beast] Many build issues on FreeBSD (#132)

Electron apps package NodeJS code.

Electron contains the google-chrome rendering engine libchromiumcontent, the google-chrome _javascript_ engine V8 (sandboxed) and nodejs (a V8 based JS language environment, not sandboxed) in a single binary. That is similar to e.g. Firefox and and any language interpreter like Python or the JVM languages.

npm downloads NodeJS code directly from GitHub, typically from hundreds of individual GitHub accounts.

npm is a package manager and package repository for web applications and nodejs applications. packages are downloaded from web applications are sandboxed like a website displayed in a browser. only nodejs applications and npm packages for nodejs could go rouge the way CPAN packages, PIP modules, JVM code, C, Go, Ruby, C++, Rust or shell code could after being downloaded. There is nothing special about npm here, other than it being used more widely, so its potentially a more attractive target. It has had dependency fallouts in the past, which is why procedures have been adapted now to prevent this in the future and make package name spoofing harder. Most Python, C, C++, etc code is hosted on Github these days btw, but whether Github is used for hosting or not is really not related.

This subjects users to the danger of some of these accounts to go rogue and deliver malware to them, since NodeJS technology doesn't have any safeguards against this and such unsafe behavior is done rather by its design, there's little chance that major packaging systems would adopt them.

I don't follow that argument, Electron has sandbox functionality, C, C++, Ruby, Python, Haskell, etc code that is pulled from Github and packaged doesn't.

Perhaps Electron can be used w/out NodeJS, but it brands itself as ElectronJS, and your project too has the npm part in it.

That is just not related. Most websites use npm packages and are used by billions of people, every day. Claiming that npm is bad or insecure or unusable or anything alike is just not credible.
Regarding Beast, the package installation uses just one npm package, vue-2.6, and that comes with 0 dependencies. We used to also need jquery but could get rid of it. And I have probably studied more of the Vue code than I have studied the various C/C++ dependencies we pull in (those are pulled from Github btw).

You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]