theupdateframework
Browser-compatible version
As part of my work on https://github.com/sigstore/sigstore-js/issues/1195, I would like to port at least a subset of the functionality of this package to work in a browser natively. Of course, some compromises have to be made, namely the only way to make external requests is fetch() and it is not possible to have local filesystem access. I can implement caches anyway through in any of the storage methods offered for plugins.
I will keep updates here of my result, and eventually I'd be happy to contribute back anything that could be useful.
The massive dependency tree of make-fetch-happen is also a blocker to bring provenance to Yarn: https://github.com/yarnpkg/berry/pull/6750
#849 has been open for a while, maybe a less violent breaking change is turning tuf-js into a BYOF (bring your own fetch) library. It would allow consumers to choose between make-fetch-happen, globalThis.fetch, undici, node-fetch...
Can I be of any help?
I gave up with the porting efforts and ended up writing a minimal client implementation that has no dependencies and is browser-native here. Though for long term sustainability, it would still probably be better to find a way to drop my custom version and use a supported client. Back then I did manage to port almost all the crypto, but then fetch and file system access were major blockers, both theoretically solvable but time intensive for somebody with no expertise in that codebase. So I think it would be useful! We are on a path to continue development there, so we might come back to attempt the port again if there are improved circumstances.
Oooooh that's pretty nice! Any chance you publish it as a npm package for node usage?
Btw you have "vite-plugin-web-extension": "^4.2.0" in your dependencies
Oooooh that's pretty nice! Any chance you publish it as a npm package for node usage?
I would like to, and the development led to some discoveries. There's no tests and spec parts are still missing, I use it only for the Sigstore trust material updates. It was written as a research project, but it's possible that I might get to keep working on it, if that's the case, I'd say we'd look into packaging for sure!
Btw you have
"vite-plugin-web-extension": "^4.2.0"in your dependencies
Oopsie, you are right, I meant no runtime dependencies, afaik that is useful to have the TypeScript types and for building, but there should not be third party code in the output file.
#849 has been open for a while, maybe a less violent breaking change is turning
tuf-jsinto a BYOF (bring your own fetch) library. It would allow consumers to chose betweenmake-fetch-happen,globalThis.fetch,undici,node-fetch...
That'd be ideal (rather than directly using fetch, although it could be configured as the default "driver"), as for example for Yarn we have our own fetch-like function that takes the package manager network configuration into account.
