I recently came across an amazing post that really emphasizes the dangers associated with installing npm packages. It seems that every week a new supply chain attack occurs.
In my opinion, the existing solutions for this don't quite cut it so I decided to create a library which provides runtime protection for Node. It currently protects against:
- Unauthorized file system access
- Unauthorized network access
- Unauthorized command execution - (by way of exec/spawn)
I just released the first beta version of the library and I'd love to hear what you guys think.
Note: Protection is still missing for post/pre install scripts, but that's up next.