[giergirey]

Here's one security concern - What procedure do you follow when accepting files for inclusion in jsdelivr?

I mean, what's to stop this scenario: 1. attacker uploads a poisoned version (say, with an XSS vulnerability) of a popular library to an official-sounding github repo 2. attacker raises a github issue with you asking you to put it on jsdelivr 3. you assume the attacker is a legitimate contributor or user of the library and add it to jsdelivr 4. other sites start using the poisoned version of the library 5. attacker can now carry out XSS attacks on the sites using the library

I have another security concern about www.jsdelivr.com (which I hope is totally separate from the CDN?) but I'll email that to you.

[jimaek]

I validate all submitted libraries. I try to do size and md5 validation for everybody. Cases where I do minimum validation is when the author himself submits his library and for trusted people I can skip md5.

But once the auto-update app comes online this issues should become obsolete.

www.jsdelivr.com is completely separate from the CDN. Plus the code is open sourced so you can actually see how it works.