Horreum icon indicating copy to clipboard operation
Horreum copied to clipboard

Published 20 hours ago verified publisher icon Hyperfoil

Remove external hosted JS for Monaco Editor

Open johnaohara opened this issue 2 years ago • 3 comments

Describe the bug

Externally hosted JS are key components of UI.

For example, the JSON and code editor is based on Monaco Editor (https://github.com/Microsoft/monaco-editor) but the JS for the editor is linked to a remote host: https://cdn.jsdelivr.net/npm/[email protected]/min/vs/editor/editor.main.js

All JS should be served from the Horreum webapp and not rely on externally hosted JS for functionality.

Not only is there a security concern, but the Horreum UI will not function as intended in air-gapped envs or when https://cdn.jsdelivr.net fails to serve the required JS files

johnaohara avatar Feb 06 '23 18:02 johnaohara

This is def a problem, but I think it spans using JavaScript packages for the project in general.

We need a way to distribute JavaScript packages that won't reference external sites. Currently, this is maintained by package.json so we need another mechanism to deal with it.

Of course, the Monaco editor could be the proof-of-concept.

jesperpedersen avatar Feb 13 '23 16:02 jesperpedersen

From an intial scan, it looks like monaco is the only affected library, but we should audit all the deps to identify the ones that load external resources at runtime

johnaohara avatar Feb 13 '23 18:02 johnaohara

Yeah, we probably need a support matrix for the Monaco Editor stuff with the React dependencies as well.

We have about 1.5y worth of updates within this area.

jesperpedersen avatar Feb 13 '23 18:02 jesperpedersen