npq VS download-node-nightly-executable

You might also want to look at npq which is an open source project that helps you proactively defend against potentially bad (malicious) npm packages before installing them.

You just described my project called npq: https://github.com/lirantal/npq :-)

That's pretty cool. I was just recently publishing about Ruby gem lockfile injection attacks (read here: https://snyk.io/blog/ruby-gem-installation-lockfile-injection-attacks/). I also wrote something related to this for npm users, but not a sandbox, called npq: https://github.com/lirantal/npq/

In any case, proactively protecting against is indeed the more difficult thing to do, but also the rarer and sort of 0 day vulnerabilities that happen. That said, I built a module called npq (see here https://github.com/lirantal/npq/) that helps me, and others, countermeasure against these sort of malicious incidents. In light of recent malicious incidents, it calls for updating some of the capabilities there (referred to as marshalls)

npm never has to get written to or installed on your machine. download-node-nightly-executable.

WHat do you mean by "contribute"? I download only the node executable using download-node-nightly-executable to run native-messaging-nodejs, servers, or whatever else I decide to experiement on - without downloading any packages.

If you only need the node executable without npm, node_modules and the rest of the folders and files shipped in Node.js download archive you can use this https://github.com/guest271314/download-node-nightly-executable.

I use DecompressionStream() to decompress the Node.js nightly release before extracting only the node executable from the tar archive https://github.com/guest271314/download-node-nightly-executable/blob/main/index.html.

Yes. I create a file called node, touch node, set the file to executable chmod u+x node, then fetch the Node.js nightly release using this https://github.com/guest271314/download-node-nightly-executable, get rid of everything except the node executable, then run that node executable from the directory I download the file to. Then afterwards truncate the node execute to a file with 0 size, as it began as with

Node.js does not publish a release containing only the node executable. That is why I wrote this https://github.com/guest271314/download-node-nightly-executable to fetch the Node.js nightly download, extract only the node executable, and get rid of everything else in the download that never reaches my file system.

If you do not already have the node executable https://github.com/guest271314/download-node-nightly-executable.

Note: You can use node executable without using npm or npx at all download-node-nightly-executable. Create package.json including {"type":"module"} then you can import local .js files, e.g. https://github.com/guest271314/jsdom-extension/blob/main/background.js

As to that point, FWIW, it is easier to download the Deno executable than the Node.js executable, because Deno only includes the executable i the download - Node.js include npm, npx, et al. That is why I wrote https://github.com/guest271314/download-node-nightly-executable to extract only the node executable for Node.js nightly download.

FWIW I wrote this https://github.com/guest271314/download-node-nightly-executable to fetch the node nightly executable from the release folder than contains npm because I have no use for npm nor packages. I just use node executable as a Native Messaging host, which does not require any dependencies, just the javaScript runtime, where I can call process.spawn() and thus execute any local JavaScript file or other application written in any programming language.