Completely agree. This is really unique. Can you imagine if it were standard practice to be open to supply chain attacks like that, by blindly relying on hotlinked or unpinned dependencies?
Why imagine? Let's take a quick look at what's actually happening right now. We can check some widely used libraries and see what their instructions are teaching new developers.
Pay close attention, they are inviting the new developer to link not just to Bootstrap, but to Popper!
HTMX (code snippet from their quick start guide):
```
<script src="https://cdn.jsdelivr.net/npm/htmx.org@2.0.8/dist/htmx.min.js"></script>
<!-- have a button POST a click via AJAX -->
<button hx-post="/clicked" hx-swap="outerHTML">
Click Me
</button>
```
Fontawesome: A video quick start guide and instructions that recommends using the direct link to the kits via CDN for performance!
Look, I certainly don't think they should be used this way. But, to say that it's unique to the White House app? I definitely wouldn't say that. In fact, I think you've dangerously overestimated the status quo.
I was being sarcastic. Although hot linking is not particularly common, it's common enough; and unpinned dependencies are just as much if not more of a supply chain attack risk.
I'd bet something like 70+% of all JS apps are inadequately protected against the risk of a malicious actor gaining access to a dependency's repo.
Pearlclutching over this while ignoring the lessons of `left-pad` and `colors` is biased motivated reasoning at best.
I'm not sure I follow. How does an integrity check help when the source is compromised? The developer doesn't know that their repo is compromised. They continue posting legitimate hashes because the repo is legitimately compromised.
Boostrap (code snippet from their quick start instructions): ``` <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Bootstrap demo</title> <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootst..." rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous"> </head>
<script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/umd/..." integrity="sha384-I7E8VVD/ismYTF4hNIPjVp/Zjvgyol6VFvRkX/vR+Vc4jQkC+hVqc2pM8ODewa9r" crossorigin="anonymous"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstr..." integrity="sha... ```
Pay close attention, they are inviting the new developer to link not just to Bootstrap, but to Popper!
HTMX (code snippet from their quick start guide): ``` <script src="https://cdn.jsdelivr.net/npm/htmx.org@2.0.8/dist/htmx.min.js"></script> <!-- have a button POST a click via AJAX --> <button hx-post="/clicked" hx-swap="outerHTML"> Click Me </button> ```
Fontawesome: A video quick start guide and instructions that recommends using the direct link to the kits via CDN for performance!
Look, I certainly don't think they should be used this way. But, to say that it's unique to the White House app? I definitely wouldn't say that. In fact, I think you've dangerously overestimated the status quo.