Page 1 of 1

About new NodeJS requirement

Posted: Sat May 07, 2022 2:16 am
by barbaz
Just noticed https://github.com/hackademix/nscl/issu ... 1117519022, and that the commit referenced there introduces a NodeJS requirement in the build process.

1) What is the exact NodeJS requirement? Is there a minimum supported version?
Does the build process also require something to be installed through npm and/or yarn? Or will it work with only NodeJS itself without any package manager?

Could the details of the NodeJS requirement please be documented in nscl readme?

2) Is it just me, or is requiring NodeJS somewhat ironic for a security tool? Due to concerns about malware written for NodeJS (especially malware written for npm), I don't have NodeJS on my primary machine. I only use NodeJS in disposable, AppArmor-contained VM.

On the other hand, none of my concern is about NodeJS itself. And it seems highly unlikely Giorgio would require NodeJS (not just for NoScript, but for all nscl extensions) if he saw the level of potential security risk I've thought there is.

Should I be re-evaluating my take on NodeJS in light of this? Has something changed since I decided some years back to actively avoid installing NodeJS on my primary system?
Or would I best just move building my nscl-using extensions to a VM?

Re: About new NodeJS requirement

Posted: Thu Aug 11, 2022 8:16 pm
by barbaz
bump.

Just saw this - https://www.theregister.com/2022/02/03/ ... re_report/
And clicking the "NPM" tag at the end of that article shows many recent incidents of npm/NodeJS malware: The level of malicious activity driving my concern is still ongoing.