Pin JS dependency & verify it

[hendursaga]

It would be nice to pin the DarkReader package to a specific version, hard-code the SHA-512 hash, then subsequently verify the download. Then we'll have greater reproducibility and security.

[aartaka]

Indeed. While I'm not paranoid enough to care much about Dark Reader ever becoming unstable/unreliable, I can understand your reasoning here.

I thought about using a Dark Reader submodule, but they don't provide pre-compiled scripts there, as far as I know. Compiling it manually is too much of a work for someone installing the extension. Thus, the perfect scenario would be to checkout a specific submodule version when ASDF-loading the extension. Still, can be quite demanding of a process...

I'm open to ideas there, as it's a non-trivial problem, I guess :D

[hendursaga]

Compiling it manually is too much of work

I was thinking merely hard-coding the version number in the URL at https://github.com/aartaka/nx-dark-reader/blob/master/nx-dark-reader.lisp#L51 and then comparing the downloaded file with a hard-coded hash. Like SRI.

[hendursaga]

Well, now that we've apparently switched to the UserScript / WebExtensions approach, I'm not sure how to proceed, as it does not seem the metadata block has ANY support for any sort of integrity check whatsoever. Horrifying!

[aartaka]

Yeah, that's a tough one. We can extend the syntax of @require with signature checking, though :)

[hendursaga]

See https://github.com/violentmonkey/violentmonkey/issues/1558#issuecomment-1231947929 for the issue I started there. Since I assume we're (going to be) using our own "userscript manager," using TamperMonkey's syntax would be a good idea.