Looking into jspm and, like Skypack, I can‘t find anything on subresource integrity support. Unless I’m missing something, these new crop of ESM-based CDNs – while they sound great otherwise – are basically backdoors waiting to happen.


See: https://ar.al/2020/12/30/skypack-backdoor-as-a-service/

Skypack issue: https://github.com/skypackjs/skypack-cdn/issues/135
jspm issue: https://github.com/jspm/project/issues/92


@aral I think it'd be cool to use a content-addressed system like IPFS to address this, but I haven't thought about it too much!

@EvanHahn See Hypercore (IPFS is VC-funded). A signed DAG would be interesting but probably overlaps more with git than my use case. All I really need is a signed hash of the file tacked onto it.

Sign in to participate in the conversation

bigshoulders.city is a Mastodon instance for Chicagoans current, former, and future. Its name comes from Carl Sandburg, who once compared ships pulling out to “mastodons, arising from lethargic sleep.” Our goal for bigshoulders.city is to build a community of friends and neighbors across the Windy City. Toot your pho place recommendations, meet-up ideas, pothole gripes, creative dibs, and cross-town baseball taunts—whatever you want, as long it abides by our short and sweet content policy.