External module tampering protection? #170
Comments
|
|
So the app would be tested with a specific set of code in the cache folder and then packaged up in Docker or whatever other means with that cache folder pre-populated and would always use the same code since it wouldn't be run with the --reload option? |
|
I think that one solution is to use github.com/gitlab.com/bitbucket.com references with hashes rather than version numbers. The issue is that will lead to bitrot as github/gitlab/bitbucket projects will churn. I worry that you may need to have a global caching service that deno-cache.com that you can use as a primary point that caches based on hash/version and it ensures you are always alive. The only thing worse that relying upon npm to be up while building is relying upon many websites to be up while building. |
@ejsmith If you can rule out mitm attacks (https) and you trust the origin to have immutable urls, I don't see how this is less secure than using npm. Because these are two things you trusted npm with in the first place too. |
|
The |
NPM addressed that issue with the auto-generated package-lock.json, which includes the hashes of the downloaded dependencies. If npmjs.com later tampered with the module, then |
|
@agentme From the project description:
And the browser addressed this issue with subresource integrity. a Mechanism like that can find a parallel in |
|
closed in favor of #200 |
Remove http/mod.ts
This project looks very promising and exciting. I like how simple it is to use external packages. My question would be how would you go about ensuring that external dependencies haven't been changed?
The text was updated successfully, but these errors were encountered: