I'm pissed at #NPM now, so it's time to find ways to undermine it out of spite.

So what's the move? Set all my dependencies to #ESModule urls? Is #SkyPack still a thing? Start using #Deno instead of #NodeJS?

#javaScript #npmpjs #node #webDev

Finally found the time to open a discussion on the Snowpack forums about the lack of subresource integrity (SRI) in Skypack: https://github.com/snowpackjs/snowpack/discussions/2569

(Background: my post from the end of last year titled Skypack: backdoor as a Service? https://ar.al/2020/12/30/skypack-backdoor-as-a-service/)

#skypack #snowpack #SubresourceIntegrity #SRI #security #privacy

“If I were In-Q-Tel right now, I’d be drooling as I wrote a check with lots of zeros in it for the Skypack folks because widespread use of Skypack would be any national security agency’s wet dream. Imagine being able to inject any code into any web application at any time to obtain login credentials, etc.

This isn’t even a backdoor. This is a wide open frontdoor. It’s basically Backdoor as a Service.”

https://ar.al/2020/12/30/skypack-backdoor-as-a-service/

#skypack #snowpack #cdn #security #privacy