New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): remove vendored lockdown.umd.js #1081
base: main
Are you sure you want to change the base?
Conversation
This removes the vendored `lib/lockdown.umd.js`. `ses` does not actually export its `dist/lockdown.umd.js`. It _does_ export `dist/ses.cjs` as `lockdown`. `dist/ses.cjs` is _identical_ to `dist/lockdown.umd.js` (as well as `lockdown.mjs`, `lockdown.cjs`, `ses.mjs`, and `ses.umd.js`). What are the implications of doing this?
OK, this is not so straightforward, because we're using the I'm not sure it's worth doing this or not. |
The alternative I had in mind would be to keep in the resulting |
Aditionally, when we resolve SES instead of reading it from a file, we open up more ways to hack the build in a way that dismantles the bundle runtime security. |
I don't follow
Yes. This is a tradeoff in that it it opens this hole, but closes another hole: currently, a consumer cannot easily override or otherwise provide a custom resolution for the version of Of course, either way, a consumer can I don't really understand which issue is more severe, or more likely. Hopefully someone else has better insight. 😄 |
I gave
some thought, because it's a great argument, but I think that eventually this statement is true to many other dependencies we rely on. Some set of deps (ideally as small as possible) is going to be a set we vet on, and I think SES needs to be one of them, given it's a project we contribute to and trust is secure. Thus, maybe resolving it locally isn't the worst idea and it would be far better than having a checked in version of the entire file in terms of convenience. We can also consider building a mechanizm that verifies the content of the SES we're about to use matches the public published version, but not as a blocker to this PR IMO. |
This removes the vendored
lib/lockdown.umd.js
.ses
does not actually export itsdist/lockdown.umd.js
. It does exportdist/ses.cjs
aslockdown
.dist/ses.cjs
is identical todist/lockdown.umd.js
(as well aslockdown.mjs
,lockdown.cjs
,ses.mjs
, andses.umd.js
).What are the implications of doing this?