Looking into jspm and, like Skypack, I can‘t find anything on subresource integrity support. Unless I’m missing something, these new crop of ESM-based CDNs – while they sound great otherwise – are basically backdoors waiting to happen.
Thoughts?
See: https://ar.al/2020/12/30/skypack-backdoor-as-a-service/
Skypack issue: https://github.com/skypackjs/skypack-cdn/issues/135
jspm issue: https://github.com/jspm/project/issues/92
@aral I think it'd be cool to use a content-addressed system like IPFS to address this, but I haven't thought about it too much!
@EvanHahn See Hypercore (IPFS is VC-funded). A signed DAG would be interesting but probably overlaps more with git than my use case. All I really need is a signed hash of the file tacked onto it.
At least the Deno folks seem to be discussing and working on it: https://github.com/denoland/deno/issues/200