POLA Would Have Prevented the Event-Stream Incident

Mark Miller erights at gmail.com
Mon Dec 3 22:19:04 UTC 2018

The npm / event-stream incident is the perfect teaching moment for POLA
(Principle of Least Authority), and for the need to support least authority
for JavaScript libraries.
by Kate Sills (cc'ed) explains the point. The links at the end of Kate's
article are worth following. In particular:

Securing EcmaScript, presentation to Node Security
my presentation explaining many of these issues *prior to* this particular

At the recent (November 2018) tc39 meeting, I presented on the enhancements
needed to support least authority for JavaScript modules and libraries,
adequate to have prevented this incident.

Besides es-discuss
would be a good place to discuss these issues.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20181203/6c049d8c/attachment.html>

More information about the es-discuss mailing list