I've published a new version of Fresh. Fresh is a simple way to create
light and fast isolated contexts in your Terminal. For example, when you
need to run 'npm' commands that install and run code needed for ESLint,
Grunt or Selenium tests.
Get started at
https://github.com/wikimedia/fresh
See also:
*
https://www.mediawiki.org/wiki/Manual:JavaScript_unit_testing#Getting_start…
*
https://www.mediawiki.org/wiki/Selenium/Node.js/Target_Local_MediaWiki_(Con…
Background:
Last month I wrote [1] about the risk and dangers involved with running
"npm install" and "npm test" commands as developers. In a nut shell:
There
are no built-in protections. At risk are your personal data, web browser
session, and more. Interactions with 'git', 'sudo' or 'ssh' are
also easy
to spy on or influence. This all in addition to the "normal" risk of
packages having undiscovered malicious (or non-malicious) security problems
in indirect dependencies that have never been audited for security by
anyone you'd know or trust. In particular, I think it is important to
understand that npm is different from Debian or PyPi in terms of social
etiquette and curation. More about that at [1].
-- Timo
[1]
https://medium.com/@timotijhof/how-to-protect-yourself-from-vulnerable-npm-…