Yes, that is exactly how the axios supply chain attack worked… It ran post install script (on dependency) that downloaded malware, ran it and even cleaned it up. Everything on that machine was compromised… It can be any dependency of dependency too, deep down in the tree…
In case of NPM version pinning is a good practice. But also set it to ignore post install scripts. They are a bad practice and only about 2 % of all packages use it so it is unlikely it will bother you. They, the post install scripts, were used in recent supply chain attacks btw (the axios). You can either set it project wide in .npmrc file, add ignore-scripts=true, that is good for project where multiple people collaborate. And/Or system wide by running npm config set ignore-scripts true for your personal workspace. You can also achieve it by using --ignore-scripts flag during npm install, but that is way too impractical to always think about it.
Also I would recommend checking npq, its a wrapper around npm cli that will give you some security summary before installing anything (and it is able to give you warning about post install scripts).
You probably already found out, but yes you can.
Can it connect to the VPNs simultaneously though? I don’t have it, but from what I see it can have configurations from multiple vpns but only one can be up at a time.
I am running tailscale to access my homelab and my exit node and I use wireguard protonVPN connection for that exit node. It involved messing with nftables, check this for more info. In theory, you could do the same with two wireguard connections. One connection in and one as an exit. Maybe easier solution would be having these on separate machines/vms. Having the exit vpn on the openWRT as default for all connections and then the connection in on a separate container or vm, and it would exit through the router. I am not sure but I think the wireguard then naturally exits trough the router (gateway).
Its your right of course. I think, though, that internet is often amplifying even the tiniest negative things while forgeting all good stuff (not limited to TrueNAS). I hate such culture, especially when the people (not you, in general) then go and use stuff like Twitter and similar. I mean how is it that people witch hunt this incredible free product they are getting, no strings attached and at the same time doom scroll tik tok or use WhatsApp or have windows or mac… You get the gist. I wish internet echo chambered also the positive stuff… I’ll stop rambling, sigh, sorry…
As started in other comments, TrueNAS is staying open source, only the build system is going closed source because some company was ripping them off and removing license. But the OS system itself can’t go closed source because of the gpl license.
So no need to move away if you like it.
I am with you on the whole not wanting to use torrents. And also kinda have similar issue. I try to buy my stuff, but its becoming harder and harder avoid DRM.
There is a benefit though in not having a huge library, I am not paralyzed with choice and I am more intentional with listening to my music. Almost like the good old days, taking a tape and sitting with my wired headphones next to a hi-fi system and “just” listening.