tweetnacl-js icon indicating copy to clipboard operation
tweetnacl-js copied to clipboard

Published 20 hours ago verified publisher icon dchest

Minified build in npm package makes auditing harder

Open joepie91 opened this issue 4 years ago • 3 comments

Hi,

TweetNaCl.js currently includes a minified build in its package on npm, but unfortunately this is making dependency auditing quite a bit harder; now in addition to a human-readable version, a minified version now also needs to be audited and/or reproduced (which has its own toolchain trust issues).

I've written a bit more about this topic (and why minified builds are not useful on npm) here -- I'd like to request removing it from the npm package :)

joepie91 avatar Aug 28 '20 13:08 joepie91

Makes sense. Note that the default import uses non-minefield version, so unless the user of the library imports a minified file explicitly, nacl-fast.js will be used.

I’ve marked this for 2.0 version, since removing minified builds would be a breaking change.

Thanks!

dchest avatar Aug 28 '20 15:08 dchest

*non-minified. But I like that autocorrect turned it into “non-minefield” 😄

dchest avatar Aug 28 '20 15:08 dchest

Great, thanks :)

joepie91 avatar Aug 28 '20 18:08 joepie91