GHSA-6pw2-5hjv-9pf7 Alternatives
Similar projects and alternatives to GHSA-6pw2-5hjv-9pf7
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
GHSA-6pw2-5hjv-9pf7 reviews and mentions
-
De-obfuscated Protestware code in node-ipc that wipes Russian computers
Nice! Thanks for sharing that link. I've done a bit of digging into that project before and it's definitely a very promising idea.
It has a lot of the same pitfalls as Dyno, imo, in that it would require somebody to define a "security policy" for every module to whitelist permissions.
But, it's also something that could maybe be attacked in a similar way to how TypeScript types were "retroactively" added for existing NPM packages. Ie, packages that have never added their own type declarations (like `express`) can have their types added to DefinitelyTyped[0] and published as a separate NPM package (`@types/express`).
It works fairly well and something like `@endo-policies/express` wouldn't be crazy to add in later. Obviously it's going to be super painful, but fixing tech debt is always going to hurt.
vm2[1] is another Node project with some semi-similar goals that's worth mentioning. It's not designed to be "applied" in the same way as Endo, but it does give you a way to "sandbox" dependencies.
As a security person, I am weary to trust something like vm2 because it is much harder to "get right" than a "sandboxed-by-default" approach like Endo or Dyno. Look at this[2] CVE on vm2 from a few months ago for some evidence about _why_ this approach isn't ideal.
I'm optimistic for the future but we still have a long way to go before we get to it!
0: https://github.com/DefinitelyTyped/DefinitelyTyped
1: https://www.npmjs.com/package/vm2
2: https://github.com/advisories/GHSA-6pw2-5hjv-9pf7
Stats
Sponsored