Not entirely related, but I wanted to mention that Python struggles from the same security issues. Most people don't realize that despite PyPI, the Python Package Index, being the primary source for most popular modules, the fact that it's available on PyPI offers no security assurances at all, and any module hosted there is also susceptible to hosting malicious code.
I wonder if methods used to filter malicious JavaScript XSS attacks against web-forms could be similarly employed by a plugin, or other means, to look for specific JS functions or strings, like eval(), before a package could be imported or used. It might be a good starter project for someone who has been considering learning how to write plugins for VSCode, Atom, etc.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Not entirely related, but I wanted to mention that Python struggles from the same security issues. Most people don't realize that despite PyPI, the Python Package Index, being the primary source for most popular modules, the fact that it's available on PyPI offers no security assurances at all, and any module hosted there is also susceptible to hosting malicious code.
I wonder if methods used to filter malicious JavaScript XSS attacks against web-forms could be similarly employed by a plugin, or other means, to look for specific JS functions or strings, like
eval()
, before a package could be imported or used. It might be a good starter project for someone who has been considering learning how to write plugins for VSCode, Atom, etc.