[chiefalchemist]

Spitballing...couldn't there be a cloud-based Bundler as a Service? Mind you, there's a risk in letting someone else "see" your code, having 700+ applications of unknown origin isn't any better.

If the host of the BaaS could be trusted, and they constantly vetted all packages, isn't that possibility less risky?

[zelphirkalt]

Especially with minified JS, how would you be sure, that you get a minified version of your actual code and not one, which does something else additionally, which you might not want?

Not saying, that running 700+ apps is better, just noting, that bundling as a service might not be a perfect solution either.

[filoleg]

What about bundling in a local VM or docker container?

[brulard]

I believe there could be some malicious code added to the bundle by these dependencies regardless of where it is being run

[filoleg]

I was mostly addressing the part regarding malicious dependencies gaining access to your local filesystem.

If we are talking about the final bundle itself being compromised, there is not really a technical solution to that other than not using dependencies.

[komali2]

I might be missing something here, but that cloud based service would either need to run webpack, roll-up, or parcel on the files you send them, or write a new application from scratch (without dependencies). I guess businesses are gonna business but if you're writing that application anyway why not just release it for devs to run on their own machines and ci servers?

[chiefalchemist]

Yes. Same flow/process. The difference is, the service provider vets the packages. Certainly, given the risks, there's a market at the enterprise level. Sec for them is real.