Closed xdg closed 8 years ago
ribasushi
commented
8 years ago Generally the simpler local @INC "workaround" is not suitable for any spot that loads arbitrary files. See this test (specifically lines 14~20) for a contrived but possible example
Loading specific (i.e. known) optional plugins from CPAN usually can slide with local alone, since they almost by definition will not try to alter the surrounding environment.
Leont
commented
8 years ago This seems to be the trend for toolchain-ish modules. Do we need it here, too?
I don't think we really do. In the normal case (JSON::PP and CPAN::Meta::YAML), it's not an optional dependency so it isn't relevant. When the backend is overriden you can reasonably assume that that module is installed; if not PEBKAC.
I don't see this as a credible attack vector.
xdg
commented
8 years ago OK. Closing this PR.
This seems to be the trend for toolchain-ish modules. Do we need it here, too?