I would like to add a new criteria for package managers which revolves around other operations that they do. We've nailed down running code with Package Manager Does Not Run Code and doing call-home stuff with Package Manager Does Not Collect Info but package managers also do filesystem operations, such as linking and so I want to add a new item Package Managers Does FS Linking (or can think of a better name if you have suggestions).
I would like to add a new criteria for package managers which revolves around other operations that they do. We've nailed down running code with
Package Manager Does Not Run Codeand doing call-home stuff withPackage Manager Does Not Collect Infobut package managers also do filesystem operations, such as linking and so I want to add a new itemPackage Managers Does FS Linking(or can think of a better name if you have suggestions).This is based on the recent security vulnerabilities that impacted all three popular JS package managers (npm, yarn and pnpm) due to their filesystem operations when packages with executables defined are installed. Full story for reference: https://snyk.io/blog/understanding-filesystem-takeover-vulnerabilities-in-npm-javascript-package-manager/