Everyone who runs Node runs untrusted code (depending on your definition of untrusted). No one I’ve ever worked with made an effort to review the source of the thousands of dependencies they were slinging around.
I’m pretty sure untrusted code means code you can’t trust, which includes any code that you haven’t either analyzed yourself or put through some sort of institutional review with auditable sign-offs.
It is how these conversations always go:
There’s a hole in the sandbox.
If you were trusting the sandbox, you were already doomed.
Nobody validates their code well enough to trust it. (we are here)
The ecosystem and industry is just irreparably damaged.
What am I supposed to do about that?
Non-solutions, because it is an impossible problem to actually fix
Web browsers rely on the sandbox. Almost everyone runs untrusted code single day. There are very few people who do not trust the sandbox.
It does not directly affect servers if one rejects your rather broad definition of untrusted, but does indirectly.
> I’m pretty sure untrusted code means code you can’t trust, which includes any code that you haven’t either analyzed yourself or put through some sort of institutional review with auditable sign-offs.
That is so broad that very people are running trusted code. You would need to ensure your entire stack down to the firmware it runs on had been analysed.
I would expect "untrusted code" to mean "code in a sandbox" or "code I'm not gonna run at all anytime soon", so running code from thousands of dependencies in node is effectively trusting all of that code, unless it is your direct expectation that it is malicious (and even then, aren't you trusting it to be malicious ?).
The trust we give to random dependencies like that is quite arguably unwarranted to a large degree, but it doesn't mean the code isn't trusted.
