Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

npm should run in Docker containers by default. At least to restrict access to the project being built.

But the result of a compiler will run on the machine anyway, but once again, it should be in a Docker.



It blows my mind that developers will install things like npm, random libraries and so on on their machine, sometimes their personal one with the keys to the kingdom so to speak. But then again, people are now installing MCP servers the same way and letting LLMs run the show. Incredible really.


So, what do you do for Windows and macOS users, in corporate environments, who don’t have access to virtualization on local machines? This describes most of the places I’ve worked as a consultant.

Container technology is awesome, and it’s a huge step forward for the industry, but are places where it’s not feasible to use, at least for now.


Docker is not a security boundary.


Sure it is. It isn't airtight but then what is?

Even KVM escapes have been demonstrated. KVM is not a security boundary ... except that in practice it is (a quite effective one at that).

Taken to the extreme you end up with something like "network connected physical machines aren't a security boundary" which is just silly.


> Taken to the extreme you end up with something like "network connected physical machines aren't a security boundary" which is just silly.

1. This is why some places with secret enough info keep things airgapped.

2. OTOH, from what I recall hearing the machines successfully targeted by Stuxnet were airgapped.


Yeah, you have to move it off-planet to achieve an actual security boundary.

In our threat model the upper bound on the useful lifetime of the system is limited by the light-distance time from the nearest adversary.


Ah yes, the "maximally aggressive grey goo" threat model.


No software is perfect but there is a massive difference betwen these two boundaries. If there is a escape in KVM its news worthy unlike in docker. I don't feel like pulling up cves but anybody following the space should know this.


There's an even bigger difference between using Docker and not using any sort of protection, it's always going to be a security vs convenience tradeoff. Telling people who want to improve their security posture (currently non-existent) that "Docker is not a security boundary" isn't very pragmatic.

What percentage of malware is programmed to exploit Docker CVEs vs. just scanning $HOME for something juicy? Swiss cheese model comes to mind.


It is better the same way a rope is better than no seat belt at all. Recommending Docker as a sandbox gives a false sense of security.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: