-
-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Browser Sync vulnerability ... (again) #215
Comments
@brandondees a long term dream would be to have ZERO dependencies. #UseThePlatform. /cc @JoshuaBehrens |
yeah usually dev dependencies are less critical to patch than bits that go into prod, but supply chain attacks and all that are still a factor. I wonder if there's a good pattern for separating the dev kit from the library/package itself, as in separate repos or whatever. That would enable a better signal to noise ratio on tracking changes to snuggsi itself and let the dev tooling be a bit more free to do whatever whenever without bothering downstream users. |
@brandondees yeah that's the irony of this project. 99% of any of these headaches don't exist in user land if they use: <script src=//unpkg.com/snuggsi></script> But people love to install stuff tho. The jQuery folk will get it. That's one thing jQuery got right. Installation process. Would love a installation like <script src=//snuggsi.com></script> The W3C & WHATWG platform spec is updated now to strip the |
@snuggs Yeah I understand. The big downside of linking to a source like unpkg is A: it could have a security breach and the code changes out from under you, B: their downtime is now your downtime too. There's some interesting blockchain / dweb tech coming along that may eventually make those problems a thing of the past, but till then, if we want content integrity, security, and reliability, we have to self-host our frontend. I'm not arguing that it shouldn't be made available in that form, just that it's totally reasonable/normal for production apps to require their own full copy. The built library doesn't need to ship from NPM with all the dev tools, however. It could be just the one combined source file on npm, and the development setup for it could be installed separately/optionally. |
@brandondees makes total sense. Hence this type of rigamarole. I knew from day 1 that unpkg not a final solution. But since didn't actually own Regarding code change...is this what the |
yep, subresource integrity means the browser will check to make sure the content received matches what the parent page expected before trusting it. best practice, but it also requires that the content from a given asset url never changes unexpectedly (you'd have to have version-specific cdn url to link to before you could safely add the attribute) |
axios
vulnerability viabrowser-sync
References
Suggestions
The text was updated successfully, but these errors were encountered: