Use CDN with SRI

[fulldecent]

Presently the README recommends using CDN like this:

<script src="https://cdn.jsdelivr.net/gh/ethereum/web3.js/dist/web3.min.js"></script>

Source: https://github.com/ethereum/web3.js/blob/develop/README.md

Please switch to a better CDN provider that providers stable resources and integrity hashes (SRI). This will remove a current vulnerability in the system and it will improve resource caching.

[MartinKolarik]

No need to switch the provider, just use this if you want SRI: <script src="https://cdn.jsdelivr.net/gh/ethereum/[email protected]/dist/web3.min.js" integrity_no="sha256-nWBTbvxhJgjslRyuAKJHK+XcZPlCnmIAAMixz6EefVk=" crossorigin="anonymous"></script> (from https://www.jsdelivr.com/package/gh/ethereum/web3.js?path=dist).

@fulldecent note that this link uses a different package (or a different source, actually - GitHub) than jsdelivr/jsdelivr#18105 because this project doesn't ship the build file in npm package.

[fulldecent]

Thank you, posted in pull request #2012

[MartinKolarik]

In my experience many people (and even more project maintainers) prefer the versionless links though because they don't become outdated (or don't have to be updated every time). A good compromise might be keeping the current link without SRI and adding a note like "or get a link with SRI enabled here", linking to https://www.jsdelivr.com/package/gh/ethereum/web3.js?path=dist

[fulldecent]

The programmers become irrelevant when the customers leave. Security first!