Basically just around the "implicit contract" I mentioned in the article. It feels "dirty" or "shady" or "creepy" to have a library force your computer to upload information about you (minimal as it may be) to anyone. The irony, of course, is that you're trusting NPM with this knowledge...basically as a requirement, since they have a monopoly in this space (No wonder Microsoft liked them! 🤣). Also, nothing about the npm install build process is secure. There's nothing stopping a library from adding a postinstall script that uploads ~/**/* to a server somewhere, and now you have no privacy. None of us are running our npm install commands from some permissions-restricted account, aside from the CI vendors.
Basically just around the "implicit contract" I mentioned in the article. It feels "dirty" or "shady" or "creepy" to have a library force your computer to upload information about you (minimal as it may be) to anyone. The irony, of course, is that you're trusting NPM with this knowledge...basically as a requirement, since they have a monopoly in this space (No wonder Microsoft liked them! 🤣). Also, nothing about the
npm install
build process is secure. There's nothing stopping a library from adding apostinstall
script that uploads~/**/*
to a server somewhere, and now you have no privacy. None of us are running ournpm install
commands from some permissions-restricted account, aside from the CI vendors.whats your opinion on? are either of those deal-breakers?
and what would an acceptable opt-out mechanism?