You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Aug 11, 2022. It is now read-only.
if I understand correctly, using eg npx create-react-app my-project will install create-react-app, execute it, and uninstall it, once it's finished.
Isn't this a potential attack vector? If somebody created a package like create-recat-app (note the typo), people mistyping dependencies might download malicious programs that are then immediately executed. Especially beginners might even enter sudo credentials, if a program asks for them.
I'm not sure this is actually a problem, just something that came to mind. But maybe you already thought of this.
I'm opening this issue because:
I just read this article about [email protected] and
npx.if I understand correctly, using eg
npx create-react-app my-projectwill installcreate-react-app, execute it, and uninstall it, once it's finished.Isn't this a potential attack vector? If somebody created a package like
create-recat-app(note the typo), people mistyping dependencies might download malicious programs that are then immediately executed. Especially beginners might even enter sudo credentials, if a program asks for them.I'm not sure this is actually a problem, just something that came to mind. But maybe you already thought of this.