Open zanete opened 7 months ago
zanete
commented
5 months ago @jawache @jmcook1186 is this epic important to complete before beginning on the Inputs & Outputs? If so, we have an issue for the audit, but running it in sandbox didn't have a great title, so I hadn't created one yet. Let me know what the title of the task could be and I'll create the issue.
jmcook1186
commented
5 months ago @zanete Personally I'd be totally comfortable with this getting backlogged - we haven't seen a single bug report with a stackblitz link and we haven't tended to use virtualized environments for reviewing PRs, so I'm not sure there is any real demand for this feature at the moment. There's also nothing stopping people from independently moving their workflow to a sandbox when they feel it's necessary, we just don't have to provide a cli tool to shortcut it right now.
There are far more important UX and DX upgrades in the next epic though, so I'd prefer to move on and make this a nice-to-have or a community-led feature on the backlog than something blocking the next epic.
Wdyt @jawache ?
jawache
commented
5 months ago @jmcook1186 and @zanete I aggree this can be backlogged, but again if the issue is refined then maybe we add a help-wanted label and turn this into a community contribution?
User Story
As a user of IF I want security so that I can trust that using it won’t create security holes
Scope
LOW - Add an npm audit report when installing plugins
LOW - Explore running plugin code in a sandbox environment
E.g. https://stackoverflow.com/questions/7446729/how-to-run-user-submitted-scripts-securely-in-a-node-js-sandbox Consider adding a flat —run-untrusted to allow the execution of code in a trusted environment and make it more explicit to the user that they are taking responsibility for security.