zlacker

[parent] [thread] 2 comments
1. timhh+(OP)[view] [source] 2026-02-03 19:37:28
> the second the hooks modify the code they've broken your sandbox

Changes to code would obviously need to be reviewed before they are committed. That's still much better than with pre-commit, where e.g. to do simple things like banning tabs you pretty much give some guy you don't know full access to your machine. Even worse - almost everyone that uses pre-commit also uses tags instead of commit hashes so the hook can be modified retroactively.

One interesting attack would be for a hook to modify e.g. `.vscode/settings.json`... I should probably make the default config exclude those files. Is that what you meant? Even without that it's a lot more secure than pre-commit.

replies(1): >>jdxcod+PG
2. jdxcod+PG[view] [source] 2026-02-03 23:12:49
>>timhh+(OP)
You will execute code before you commit it. Maybe not always, but often enough. You will also have lints on things like build scripts.

I agree it’s better, but not because of wasi

replies(1): >>timhh+Hk4
◧◩
3. timhh+Hk4[view] [source] [discussion] 2026-02-04 22:26:24
>>jdxcod+PG
It is better because of WASI. That's what provides sandboxing.
[go to top]