| ▲ | grugdev42 2 hours ago |
| The joke is on you NPM! I only use CDNs for my JS libraries. |
|
| ▲ | iconicBark an hour ago | parent | next [-] |
| Is this more secure?? I would genuinely love to know |
| |
| ▲ | n_e an hour ago | parent | next [-] | | Yes (assuming they're doing frontend dev and including the resources from the page). The code is fetched and executed from the browser, so It'll have to escape the browser sandbox to do something nefarious. | |
| ▲ | bdcravens an hour ago | parent | prev [-] | | Yes, none of npm's lifecycle hooks. You're just pulling bytes over the wire. | | |
| ▲ | runtime_terror an hour ago | parent [-] | | Except now you're making http calls to remote servers that could be compromised. | | |
| ▲ | phpdave11 38 minutes ago | parent [-] | | As long as you embed it with an SRI integrity hash, you're safe, even if the remote server is compromised. |
|
|
|
|
| ▲ | lostmsu an hour ago | parent | prev [-] |
| Same. I came back to do a little frontend work a couple of years ago and was horrified by the replacement of script tags with subresource integrity with npm and bundlers. |
