You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, releases to npm include a single index.js file. Alternatively, or additionally, there should be an index.min.js file. This is a security issue.
Security impact
CDN providers like jsdelivr are finding the not-compressed files as suboptimal and they are using their own proprietary, non-repeatable processes to generate their the index.min.js that they distribute to users.
For business reasons, they will not support SRI in these types of release.
To support end-user security (SRI) this project should publish proper, canonical, minified files which can be distributed as-is, without modification (uglification) by CDNs.
Currently, releases to npm include a single index.js file. Alternatively, or additionally, there should be an index.min.js file. This is a security issue.
Security impact
CDN providers like jsdelivr are finding the not-compressed files as suboptimal and they are using their own proprietary, non-repeatable processes to generate their the index.min.js that they distribute to users.
For business reasons, they will not support SRI in these types of release.
Source: jsdelivr/jsdelivr#18105 (comment)
To support end-user security (SRI) this project should publish proper, canonical, minified files which can be distributed as-is, without modification (uglification) by CDNs.
References:
https://www.npmjs.com/package/web3/v/1.0.0-beta.36
I don't know how to cite the package formulas other than installing them myself. npm should be better at this. But here is the proof.
The text was updated successfully, but these errors were encountered: