I'm a big fan and user of Luajit, and as much as I understand the problem of 'trusting' loading files around, in the case of LuaJIT anyone using the API would be /crazy bonkers/ to load code from anywhere else than a very specific, very closed source base.<p>Luajit has FFI, that allows you you to call back into any C code, libraries, structure and so forth, so by definition you KNOW the LUA you run in LuaJIT is not 'safe scripting' but more or less part of the running process, with no barrier (and thats part of the beauty of it).<p>The good news is, you 1) can't easily load lua files in LuaJit and 2) can make your own 'loader' in your LuaJIT application that can match a hash for anything you load, before it's loaded - it's fairly trivial in fact.<p>So that article could be replaced by search/replacing with something like 'if you load a dynamic library in C and dybload() a symbol and call it, it CAN BE NASTY!' well yeah, it can. Don't trust external code, otherwise someone will make a clickbait out of you :-)