Lack of integrity verification of downloaded external dependencies

[mensfeld]

Hey,

My name is Maciej Mensfeld and I run a research security project called WhiteSource Diffend.io.

I've noticed, that this library downloads some external releases and uses them. While it's a totally common pattern, what is lacking here is integrity verification.

You could verify the integrity of the downloaded file before using it by comparing the file hash to a hardcoded, expected file hash.

This is essentially what package managers do to verify the integrity of downloaded packages.

Doing this would prevent attack scenarios in which wasm-pack releases data is manipulated.

Have a great day :)

https://github.com/rustwasm/wasm-pack/blob/master/npm/binary.js#L28=