Guessing you meant "python" rather than "docker", as docker is not subject to the same type of attack. However, it's a single .py script that you copy somewhere. Not even close to a typical nodejs project using npm install.
> Guessing you meant "python" rather than "docker", as docker is not subject to the same type of attack.
No, i meant docker. _All_ systems which pull dependencies from remote sources are subject to attack via malicious dependencies (and a docker image is one big mega-dependency made up of an arbitrary number of other (remote) dependencies).
Docker is not immune to container-escaping attacks, but they have proven to be relatively rare, thus the aforementioned blast-radius reduction compared to npm compromises.
(Edit: for that matter, all dependencies, remote or not, can be malicious, but remote dependencies are a particularly rich target for attackers.)
> To that end, I wrote a python script which isolates npm inside short-lived docker containers.
Somewhat ironically, docker is just as subject to this type of attack as npm, the main difference being that it (usually) has a narrower blast radius.
Guessing you meant "python" rather than "docker", as docker is not subject to the same type of attack. However, it's a single .py script that you copy somewhere. Not even close to a typical nodejs project using npm install.
> Guessing you meant "python" rather than "docker", as docker is not subject to the same type of attack.
No, i meant docker. _All_ systems which pull dependencies from remote sources are subject to attack via malicious dependencies (and a docker image is one big mega-dependency made up of an arbitrary number of other (remote) dependencies).
Docker is not immune to container-escaping attacks, but they have proven to be relatively rare, thus the aforementioned blast-radius reduction compared to npm compromises.
(Edit: for that matter, all dependencies, remote or not, can be malicious, but remote dependencies are a particularly rich target for attackers.)