Ask HN: Development Environment Sandboxing on macOS
I've been thinking of ways to sandbox development-related programs/processes/data on the MacOS. A primary use case is to protect the whole system from the, for example, malicious NPM library. I'm aware that there is some application sandboxing built-in into the MacOS. However, I don't know to what extent it covers this use case.
For this discussion, let's consider full-fledged IDE, like IntelliJ Idea, and skip remote development using VSCode/CLI editor over SSH/TRAMP/Projector. Also, examine a case where we would like to run multiple different applications inside the same sandbox for a specific project (e.g., IntelliJ + iTerm).
Please focus on the MacOS — I already know how to solve this issue on Linux.
4 comments
[ 4.5 ms ] story [ 21.8 ms ] threadPlus, there is yarn.
IntelliJ has access to all downloaded packages (to provide autocompletion, etc.) and run npm/yarn/whatever's scripts/actions. This IDE has a lot of customized support for specific tools, which I find valuable, and wrapping everything in a shell script delegating work to a container means losing this support. At the same time, running IntelliJ as a native application, I'm able to open an embedded terminal and enumerate files in my home folder (with exceptions, like Documents and Downloads, but I'm not able to isolate projects from each other). I'm trying to keep all fancy stuff but isolate different projects from the host and each other.
As for yarn: npm is only an example. The same problem affects almost every package manager. NodeJS ecosystem is convenient here because nearly everybody has heard of some malicious JS package.
If you're really that concerned with the lack of provenance of your JS libraries, you can 1) analyze the source of every dependency, direct or indirect, or 2) write code in a different language that you ARE able to trust, then compile to a WebAssembly target.