I just deleted brave-bin (installed from the AUR) & went to install brave-git as I hear there are less bugs.
I was blocked from installation due to my having nodejs blocked in my /etc/pacman.conf IgnorePkg= section.
None of my other browsers use npm which lists nodejs & semver as dependencies.
Is it possible to compile Brave without npm?
Iβve tried by editing out npm in the PKGBUILD but the git clone & compilation process must pull in more instructions that cause a failure due to npm not being available.
I read the page that you linked to. Looks like unfortunately it really doesnβt bode too well re. an escape from NPM/node.js at this stage (Iβve been educating myself & I starting to wonder if escape is possible at all?).
Iβll keep hoping that a way around the security/privacy issues inherent in NPM/node.js will be removed from Brave by the Brave dev team.
I appreciate why the likes of NPM exists, it is in some ways Java dev heaven. Unfortunately it connects to just too much unknown code & code creators.
What my discovery of node.js has done is make me aware of the security issues in most (if not) all web browsers. Those that I have installed as -bin files are certainly including NPM/node.js in their builds.
So how the hell do we find a way to surf the web in a secure/private fashion these days?
I try (as a political statement - no one asked my permission to track/profile me).
@fatboy I wrote a question looking for more technical knowledge about this problem in the Manjaro off-topic section of the forum. A copy of it follows:
[quote]Iβve very recently become aware of node.js & its filemanager npm & what looks like the immense security issues that they bring with them.
node.js/npm look to me to be being used by all web browsers & likely just about every other application that uses JavaScript.
This page is worth a read & it is pro-node.js/npm:
If things are as they look to me to be then there are appalling security vulnerabilities that JavaScript brings via node.js/npm.
Which means that nomatter how many precautions we take in an effort to secure our browsers for privacy (in particular) we are left with a HUGE gaping hole that is a backdoor for anyone who is serious about invading internet user privacy (at the very least).
A serious threat could be mounted by those with the resources, to create many (100βs of useful) JavaScript files that would be attractive to other JavaScript devβs to use (or parts of them), as these files would via node.js/npm make the devβs life so much easier when it comes to producing their finished product.
These (possibly 100βs or more) files could include
security/privacy/tracking code built in & it would never be noticed by the people that use these files.
Does anyone here have any technical knowledge about this situation that they would like to share in an effort to improve our (my atleast) understanding of this situation?[/quote]
FYI recently we have started using package-lock.json to verify the SHA hash of the packages.
With package-lock.json, making semver more strict such as removing ~ and ^ and requiring security audit on every update of package.json would reduce the security risk.
