So, the solution is to keep all your NPM repos out of the page.
But the issue is not really solved, as your backend either has NPM [Node], Composer [PHP], PyPI [Python], etc. AFAIK all of these have worse sandboxing than the browser does.
(I recognize that the threat envelope is different.
Eg. a Stripe form never sends the credit card info to your back-end, so it may be better. On the other hand, the server can access the Stripe key, which is a crown jewel...)
But the issue is not really solved, as your backend either has NPM [Node], Composer [PHP], PyPI [Python], etc. AFAIK all of these have worse sandboxing than the browser does.
(I recognize that the threat envelope is different.
Eg. a Stripe form never sends the credit card info to your back-end, so it may be better. On the other hand, the server can access the Stripe key, which is a crown jewel...)
What is the solution?