Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It doesn't matter how much of the package you use. Here, you can use literally 0% of Koa and get pwned by one of its transitive dependencies (koa > cookies > keygrip > tsscmp) by simply importing the parent package:

    mkdir demo && cd demo
    npm install --save koa@3.2.0
    echo 'console.log("--- pwned by a transitive dependency ---")' >> node_modules/tsscmp/lib/index.js
    node -e "import 'koa'"

--- pwned by a transitive dependency ---


My point was for proper package management tools that don't allow running scripts.


His example did not involve running any post-install scripts.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: