) then you see this trend where every repo that follows 

 of providing publish tokens to GH for automated npm or pypi publication (e.g. 

) is now vulnerable and we're seeing big packages getting exposed. Since every lazy maintainer that ever roamed the earth gives GH their publish tokens, ignoring the security implications probably even without thinking, this means that we're looking at up to 80% of packages being vulnerable right now, either through the maintainer's own lax security or that of their upstream deps, which they likely didn't review.

This means that at this point, installing anything on a workstation or laptop without proper isolation is asking for trouble. So, to make it hard on myself, I force containerization of everything. The 

 alias is just so that I still have runtime, but no 

. If you don't have it installed, yet someone targets your box through 

 scripts, then... they better be able to break out of non-privileged container runtime.

Stacker Saloon

saloon

If you look at [the postmortem](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan) (source: https://stacker.news/items/1462677/r/optimism?commentId=1462688) of the `axios` attack (https://stacker.news/items/1462677/r/optimism) then you see this trend where every repo that follows *"best practices"* of providing publish tokens to GH for automated npm or pypi publication (e.g. https://stacker.news/items/1460434/r/optimism) is now vulnerable and we're seeing big packages getting exposed. Since every lazy maintainer that ever roamed the earth gives GH their publish tokens, ignoring the security implications probably even without thinking, this means that we're looking at up to 80% of packages being vulnerable right now, either through the maintainer's own lax security or that of their upstream deps, which they likely didn't review.

This means that at this point, installing anything on a workstation or laptop without proper isolation is asking for trouble. So, to make it hard on myself, I force containerization of everything. The `njs` alias is just so that I still have runtime, but no `npm`. If you don't have it installed, yet someone targets your box through `npm postinstall` scripts, then... they better be able to break out of non-privileged container runtime.