FYI, here is the Debian bug for packaging Electron: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842420
There's nothing wrong with Electron itself. It has been ported to FreeBSD and is long available in ports. The problem is that Electron is used as a Trojan Horse to drive NodeJS packages.
Whatever language / runtime environment you use, always check your dependencies closely and pay close attention to name spoofing / typosquatting.
No. Other projects have a more centralized nature with upstream devs having control over the content of used dependencies. In NodeJS npm just downloads the latest versions of hundreds/thousands of GitHub projects without anybody being able to even track what versions are used n particular cases. There is no easy way to freeze dependencies, to have reproducible builds, to fingerprint files, etc. This creates an ecosystem prone to security violations.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.