@lrvick@mastodon.social foreach sounds like a package that you shouldnt need with Array.prototype.forEach
@bekopharm
So it could happen to PyPI (Python), RubyGems (Ruby), Crates (Rust), … too :-(
@Johann150
@bekopharm
Exactly.
(Google, boo! 😈)
@RyunoKi Google boo whatever. Try releasing a Chrome extension without :P
(Or an Android app).
@bekopharm
Pah!
Why would I want to write for Chrome?
That doesn't help Firefox at all.
@valhalla @clacke @federico3 @bekopharm @Sandra @lrvick @technicallypossible @ruffni @Johann150 @RyunoKi
The second layer is called "distros" :P
@valhalla @clacke @federico3 @bekopharm @Sandra @lrvick @technicallypossible @ruffni @Johann150 @RyunoKi also, since with the first layer you have to re-audit with every update, you may as well vendor that dependency (as in, put a copy of a specific version in your repo), so arguably github could be enough as the first layer
@valhalla
Hard to do with multiple projects on the same machine.
Nor using Docker or VMs.
(Anybody want to stop getting notified?)
@clacke @federico3 @bekopharm @wolf480pl @Sandra @lrvick @technicallypossible @ruffni @Johann150
@federico3
That sounds like something I need to research more.
So far I only used chroot for repairing broken installations.
@valhalla
@RyunoKi
There's a series of articles starting from:
https://www.enricozini.org/blog/2021/debian/gitlab-runners-with-nspawn/
Most of the time you just need an ephemeral run akin to running chroot.
@yes @Johann150 @RyunoKi sorry, failed to parse that but yes, that's a very common thing in npm too due to it's popularity.
@bekopharm
That's a different attack vector.
The above is turning a benevolent package into a malicious one while there is seemingly no change in authorship (same email address)
@Johann150
@RyunoKi …and browser extensions and game mods. Heck, whatever allows to regain access to an account via mail basically.
No 2FA on your Google Dev account? Too bad 🙃