🧿🪬🍄🌈🎮💻🚲🥓🎃💀🏴🛻🇺🇸It sucks that #SkyPack didn't catch on.
#webDev #javaScript #js #web #esm #modules #esmodules #packageManagement #programming #cdn #deno #node #npm
Aral BalkanFinally found the time to open a discussion on the Snowpack forums about the lack of subresource integrity (SRI) in Skypack: https://github.com/snowpackjs/snowpack/discussions/2569
(Background: my post from the end of last year titled Skypack: backdoor as a Service? https://ar.al/2020/12/30/skypack-backdoor-as-a-service/)
#skypack #snowpack #SubresourceIntegrity #SRI #security #privacy
“If I were In-Q-Tel right now, I’d be drooling as I wrote a check with lots of zeros in it for the Skypack folks because widespread use of Skypack would be any national security agency’s wet dream. Imagine being able to inject any code into any web application at any time to obtain login credentials, etc.
This isn’t even a backdoor. This is a wide open frontdoor. It’s basically Backdoor as a Service.”
Skypack: Backdoor as a Service?
There’s some exciting work being done with projects like SvelteKit to reduce complexity and improve the developer experience when building web applications. At the heart of these efforts are basically three core elements: A front-end framework like Svelte or Vue. Native browser support for ECMAScript Modules. Hot Module Replacement (e.g., see esm-hmr). At deployment, bundling as usual with a tool like esbuild or rollup. Two development tools that support this workflow are Vite, from the folks behind Vue, and Snowpack, from the folks behind a Content Delivery Network (CDN) called Skypack.