[feat] `script.integrity` and import map - Githubissues

WICG / import-maps

How to control the behavior of JavaScript imports

https://html.spec.whatwg.org/multipage/webappapis.html#import-maps

Other

2.65k stars 69 forks source link

[feat] `script.integrity` and import map #286

Closed loynoir closed 1 year ago

loynoir commented 1 year ago

Background

There is Subresource Integrity for old days javascript.
deno support import map, and invent own lock file.
node not yet support import map.

Feat

Now, there is ESM. I think there should have a concept update combine two, in flavor of each dependency manager reinvent different lock file.

  "imports": {},
  "scopes": {},
  "integrity": {} | ./lock/file/relative/path/to/import/map,

Additional

As ESM system differ from legacy system, I think, should iter into the inner most dependency, and update field integrity or file flatly.

Related

https://github.com/nodejs/node/issues/44830

Thoughts

For relative path, should be compact for both filesystem and network.
Maybe allow .integrity as a url. Maybe user can store their import map in their dotfile repo?
Maybe design .integrity as an Array<Record<string,string>>, and when importId not uniq, throw error.

Security

Maybe split integrity outside import map ?

Like golang proxy.golang.org and sum.golang.org.

jkrems commented 1 year ago

Is this the same as https://github.com/guybedford/import-maps-extensions#integrity? If so, maybe this existing issue might be interesting: https://github.com/WICG/import-maps/issues/221

loynoir commented 1 year ago

Kind of duplicate.