Minified build in npm package makes auditing harder

dchest / tweetnacl-js

Port of TweetNaCl cryptographic library to JavaScript

https://tweetnacl.js.org

The Unlicense

1.75k stars 292 forks source link

Minified build in npm package makes auditing harder #204

Open joepie91 opened 3 years ago

joepie91 commented 3 years ago

Hi,

TweetNaCl.js currently includes a minified build in its package on npm, but unfortunately this is making dependency auditing quite a bit harder; now in addition to a human-readable version, a minified version now also needs to be audited and/or reproduced (which has its own toolchain trust issues).

I've written a bit more about this topic (and why minified builds are not useful on npm) here -- I'd like to request removing it from the npm package :)

dchest commented 3 years ago

Makes sense. Note that the default import uses non-minefield version, so unless the user of the library imports a minified file explicitly, nacl-fast.js will be used.

I’ve marked this for 2.0 version, since removing minified builds would be a breaking change.

Thanks!

dchest commented 3 years ago

*non-minified. But I like that autocorrect turned it into “non-minefield” 😄

joepie91 commented 3 years ago

Great, thanks :)