-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use CDN with SRI #2011
Comments
No need to switch the provider, just use this if you want SRI: @fulldecent note that this link uses a different package (or a different source, actually - GitHub) than jsdelivr/jsdelivr#18105 because this project doesn't ship the build file in npm package. |
Thank you, posted in pull request #2012 |
In my experience many people (and even more project maintainers) prefer the versionless links though because they don't become outdated (or don't have to be updated every time). A good compromise might be keeping the current link without SRI and adding a note like "or get a link with SRI enabled here", linking to https://www.jsdelivr.com/package/gh/ethereum/web3.js?path=dist |
The programmers become irrelevant when the customers leave. Security first! |
Add SRI to CDN link, fixes #2011, thank you @MartinKolarik
Presently the README recommends using CDN like this:
Source: https://github.com/ethereum/web3.js/blob/develop/README.md
Please switch to a better CDN provider that providers stable resources and integrity hashes (SRI). This will remove a current vulnerability in the system and it will improve resource caching.
The text was updated successfully, but these errors were encountered: