Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minified build in npm package makes auditing harder #204

Open
joepie91 opened this issue Aug 28, 2020 · 3 comments
Open

Minified build in npm package makes auditing harder #204

joepie91 opened this issue Aug 28, 2020 · 3 comments
Labels
2.0 proposal

Comments

@joepie91
Copy link

Hi,

TweetNaCl.js currently includes a minified build in its package on npm, but unfortunately this is making dependency auditing quite a bit harder; now in addition to a human-readable version, a minified version now also needs to be audited and/or reproduced (which has its own toolchain trust issues).

I've written a bit more about this topic (and why minified builds are not useful on npm) here -- I'd like to request removing it from the npm package :)
@dchest
Copy link
Owner

dchest commented Aug 28, 2020

Makes sense. Note that the default import uses non-minefield version, so unless the user of the library imports a minified file explicitly, nacl-fast.js will be used.

I’ve marked this for 2.0 version, since removing minified builds would be a breaking change.

Thanks!

@dchest
Copy link
Owner

dchest commented Aug 28, 2020
edited
Loading

*non-minified. But I like that autocorrect turned it into “non-minefield” 😄

@joepie91
Copy link
Author

Great, thanks :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.0 proposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dchest @joepie91