๐ชฌ๐๐๐ฎ๐ป๐ฒ๐ฅ๐๐๐ด๐ปโ๐งฟIt sucks that #SkyPack didn't catch on.
#webDev #javaScript #js #web #esm #modules #esmodules #packageManagement #programming #cdn #deno #node #npm
Aral BalkanFinally found the time to open a discussion on the Snowpack forums about the lack of subresource integrity (SRI) in Skypack: https://github.com/snowpackjs/snowpack/discussions/2569
(Background: my post from the end of last year titled Skypack: backdoor as a Service? https://ar.al/2020/12/30/skypack-backdoor-as-a-service/)
#skypack #snowpack #SubresourceIntegrity #SRI #security #privacy
โIf I were In-Q-Tel right now, Iโd be drooling as I wrote a check with lots of zeros in it for the Skypack folks because widespread use of Skypack would be any national security agencyโs wet dream. Imagine being able to inject any code into any web application at any time to obtain login credentials, etc.
This isnโt even a backdoor. This is a wide open frontdoor. Itโs basically Backdoor as a Service.โ
Skypack: Backdoor as a Service?
Thereโs some exciting work being done with projects like SvelteKit to reduce complexity and improve the developer experience when building web applications. At the heart of these efforts are basically three core elements: A front-end framework like Svelte or Vue. Native browser support for ECMAScript Modules. Hot Module Replacement (e.g., see esm-hmr). At deployment, bundling as usual with a tool like esbuild or rollup. Two development tools that support this workflow are Vite, from the folks behind Vue, and Snowpack, from the folks behind a Content Delivery Network (CDN) called Skypack.