😂🤦‍♂️

If you have a lock file, you're already using exact versions. Exact versions in package.json suck. Just don't bump them mindlessly

@@zettca Why exact versions in package.json suck tho ?

@@SummerSC2 - harder to upgrade and vuln audit fix - you'll end up with multiple versions of the same package (needlessly), which can lead to issues

I found if the integrity check fails, it would fail to load the library and your webapp would bascially stop running. Have googled for it, there are some reasons other than malicious attack would also fail the integrity check, that would be a bad user experience for webapp users.

​@@sbk2015But if you get hacked, then that's a really bad user experience.

Low barrier of entry, widely spreaded.

Good point!

Glad it was helpful!

Spending money in open source software? I doubt we'll ever do that 🫠

@@awesome-coding then we will keep having these issues, big projects with high downloads are obviously the targets

😅✌️

​@@awesome-coding and my mama is a dependency of yo mama ;)

@@vaisakhkm783 haha! nois!

😂😂

Yes, but in the case of polyfill, it wouldn't work I think. You use the 'integrity' attribute in the script tag.

Why wouldn't it work @LetrixAR, isn't the browser supposed to check the integrity hash before executing the script?

​@@LetrixARso then the issue is just that Polyfill was a special case where usual security concepts couldn't apply, and you really did need to trust that server implicitly (bad thing) Maybe the solution would be to, instead of sending a single JS file that changes based on browser agent in unpredictable ways, send multiple smaller JS snippets (either zipped together, or just a single js file with range markers) for each of the features that are enabled or not. On a whole-file level that would also change unpredictably, but the client could still do checks on the individual snippets: calculate checksums, determine if this snippet is even needed or wanted, etc. Then you'd need a polyfill downloader library for all this complex logic, but that can be provided from a regular CDN with integrity checks.

​@@mig8447it wouldn't work because the cdn sending the malicious file is also sending the checksum. Checksums really only help with corrupted packets or man-in-the-middle attacks. If you never care to get an updated version then you could always store your own checksum for the specific file you expect to receive.

What if the next time you make a request to your specific version, that script contains a few new malicious lines?

@@awesome-coding It won't. That's the point.

Nobody has time for security until they are forced to make time to fix problems caused by bad security.

Yes they are! Just don't ask why your fonts require this little JS script to run in the background. 👍

I understand the reasons behind your stack. Basically you use HTMX for minimum JS interaction and this allows you to avoid an extra build step for the frontend (The step that's usually done by node). Technically you could download the current versions from CDN locally, run audits on that code to make sure it's safe, and then host those scripts on your server, just like you would host any other static assets (like CSS or images) If you want, you could also add an additional build step, where you would download those scripts from NOM and use WebPack or another bundler to combine all those scripts into a single file.

@@awesome-coding thank you!

I am not working for them - I'm just helping with some of their KZbin content.

Yes, strictly and technically speaking, this applies to everywhere (regardless language and framework) as long as you involve downloading a package from a URL, or fetching a "trust" resource during the runtime and try to execute it. It's just web is more vulnerable to this issue or chain attack due to its nature and history. But the social media just prefers to bash the web more since it's already a "dead horse". Make you feel like it's just a web issue. The dunning-kruger effect is real. You will see a bunch of "devs" laughing at web all the time, but many didn't even know they need to encrypt the secret key in device or password in DB. Just speak from some real experiences. I have to constantly remind myself don't run into the same issue without context.

Man.. in this economy I'm happy if somebody simply pays me a salary...

I mentioned JSR at the end of the video.

What are the alternatives?

😂

Somebody else mentioned this, so I'll pin you comment. Yes, you are right, the integrity attribute covers the script manipulation issue. However, not all CDN providers support integrity as far as I now. Furthermore, if you want to be on the safe side, you would still need to download that script locally and run security tests / audits on it. In real world scenarios you could also risk a developer adding a script from a CDN without the integrity attribute, and pass unobserved in code review (that if your team does code reviews). So, for real projects where security is a real issue I would just enforce a npm based approach with audits / security checks in the CI / CD process. My two cents :)

@@awesome-coding I agree all the CDN doesn't provide integrity, So we should avoid such CDN providers. Maybe i should start a yt shorts series about Web security🤣.

I don't work for Deno :D

What about her?