github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2666] Why there are no profiles for pip and npm? #1681

New issue

Closed

opened 2026-05-05 08:19:43 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 08:19:43 -06:00

Owner

Originally created by @dandelionred on GitHub (Apr 26, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2666

Installing a package with both pip and npm is not just download & extract:

pip install x runs x's setup.py
npm install x runs scripts listed in x's package.json's scripts field (the behavior can be disabled with --ignore-scripts though)

Both pip and npm repositories are not checked for malware by some authority, malware is pretty possible there (for example this https://searchsecurity.techtarget.com/news/252453398/Compromised-NPM-package-highlights-open-source-trouble).

Don't we need to cover npm and pip by firejail out of the box?

// I'm not into ruby but probably gems installing poses the same issue.

Originally created by @dandelionred on GitHub (Apr 26, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2666 Installing a package with both pip and npm is not just download & extract: - `pip install x` runs x's setup.py - `npm install x` runs scripts listed in x's package.json's `scripts` field (the behavior can be disabled with `--ignore-scripts` though) Both pip and npm repositories are not checked for malware by some authority, malware is pretty possible there (for example this https://searchsecurity.techtarget.com/news/252453398/Compromised-NPM-package-highlights-open-source-trouble). Don't we need to cover npm and pip by firejail out of the box? // I'm not into ruby but probably gems installing poses the same issue.

gitea-mirror closed this issue

2026-05-05 08:19:45 -06:00

gitea-mirror commented

2026-05-05 08:19:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 26, 2019):

Why there are no profiles for XY?

Because no one has written it yet.

You are right about the fact that there are a lot of attack ways via pip and npm, but a profile for e.g. pip should be very lax as you never know what the different setup.py's need.

Both pip and npm repositories are not checked for malware by some authority, malware is pretty possible there

If you execute malware on your system you've lost. So you have to check if you can trust a package or not.

@rusty-snake commented on GitHub (Apr 26, 2019): > Why there are no profiles for XY? Because no one has written it yet. You are right about the fact that there are a lot of attack ways via pip and npm, but a profile for e.g. pip should be very lax as you never know what the different setup.py's need. > Both pip and npm repositories are not checked for malware by some authority, malware is pretty possible there If you execute malware on your system you've lost. So you have to check if you can trust a package or not.

gitea-mirror commented

2026-05-05 08:19:47 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Apr 28, 2019):

To add to what @rusty-snake says, IMHO any profile that actually works for pip would be too lose to offer any meaningful security and would only give a false sense of security. Probably better to not have a pip profile than for folks to think that they can just abandon reasonable precautions and use a super-weak profile while believing they're safe.

I don't know much about npm though

@Fred-Barclay commented on GitHub (Apr 28, 2019): To add to what @rusty-snake says, IMHO any profile that actually works for pip would be too lose to offer any meaningful security and would only give a false sense of security. Probably better to not have a pip profile than for folks to think that they can just abandon reasonable precautions and use a super-weak profile while believing they're safe. I don't know much about npm though

gitea-mirror commented

2026-05-05 08:19:48 -06:00

Author

Owner

@dandelionred commented on GitHub (Apr 28, 2019):

I've got your point, guys, thanks for comments. There is no issue then.

@dandelionred commented on GitHub (Apr 28, 2019): I've got your point, guys, thanks for comments. There is no issue then.

gitea-mirror referenced this issue

2026-05-05 10:12:39 -06:00

[PR #1681] [MERGED] Profiles updates #4040

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1681

No description provided.

Rows
Columns