Closed dcousens closed 5 years ago
@junderw as the project progresses, maybe we move bitcoinjs-lib
to import the majority of the ecosystem dependencies (bip39
etc), like a bundle.
I wouldn't want to do this without ES6 tree shaking (so ES6 exports), but, it could be a great way to package it up and provide some-semblance easy-to-verify security?
....... I wonder how npm publish would react to git submodules.
We could seek out all our dependencies on github and set them all up as submodules located somewhere and commit them.
Then we can remove them as dependencies from package.json.
It would be more secure... but it would create large overhead for projects, as there would be overlap (we have bip39 as a git submodule and they import bip39 as well, their webpacks etc. would have two bip39s in them)
Released on
npm
@junderw from my
package-lock.json
, don't know if it is useful, but maybe we can find a way to prevent some problems through iterating on the idea?Reminder:
We recommend every user of this library and the bitcoinjs ecosystem audit and verify any underlying code for its validity and suitability.
That means, check your packages, verify they match, and never update the packages blindly without verifying their new contents.