tim-stephenson
commented
1 year ago I could make it actually local, but all the fingerprinting scripts are fixed to a specific version via package-lock.json, and with a specific version, specific code that cannot be changed without a version bump.
Difference between npm i and npm ci in Node.js Using npm ci one can be sure they do not version bump anything.
Rather than load fingerprinting scripts from the web (e.g., using the CDN to access FingerprintJS), I would suggest building a local JS script, so that you know exactly what code is being executed. For FingerprintJS, you can use rollup for this; see my Touching the fingerprinting API surface repo for an example.