Looking into jspm and, like Skypack, I can‘t find anything on subresource integrity support. Unless I’m missing something, these new crop of ESM-based CDNs – while they sound great otherwise – are basically backdoors waiting to happen.


See: ar.al/2020/12/30/skypack-backd

Skypack issue: github.com/skypackjs/skypack-c
jspm issue: github.com/jspm/project/issues


At least the Deno folks seem to be discussing and working on it: github.com/denoland/deno/issue

· · Web · 1 · 1 · 3

@aral I think it'd be cool to use a content-addressed system like IPFS to address this, but I haven't thought about it too much!

@EvanHahn See Hypercore (IPFS is VC-funded). A signed DAG would be interesting but probably overlaps more with git than my use case. All I really need is a signed hash of the file tacked onto it.

Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.