Closed PascalSenn closed 1 year ago
stale[bot]
commented
2 years ago This issue/pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs in the next 7 days to keep our backlog clean. Thanks for your contributions.
PascalSenn
commented
2 years ago @mattisssa thanks
fe9lix
commented
2 years ago Hey @PascalSenn – we've created an overview page for security in our developer docs: https://developers.raycast.com/information/security That might answer some of your questions. Generally, we're open for suggestions and improving security will be an iterative and ongoing effort.
Hi there
First of, Raycast is great. Superfast native UI experience that can easily be extended, I love it.
I was skimming through the PR section and I am amazed how many people are already contributing great extensions!
I also saw that there are binance extensions, 1password, docker et al. and then I asked myself how raycast executes nodejs. I am wondering if there are any security mechanism in place to avoid things like the event-stream incident (btw this is also a good read)
It is relatively easy to include vulnerable dependencies in a JavaScript package and there are already extensions that use nodejs packages that are not officially published (e.g. docker extensions).
In the JS ecosystem, developers are used to just install a package if they need functionality. And this can quickly become to a problem (e.g. left-pad).
So the question is:
dependency-free) that only makes use ofexecand cli tools?