- Software distribution method or binary type: JavaScript CDNs that distribute NPM packages
- Popularity of distribution method: According to GitHub search:
- Any critical, emergent vulnerability associated with software from the distribution method: See rationale below. CDNs which mirror NPM packages introduces new delivery mechanisms which aren't currently detected
Rationale
No build deployments are becoming more popular due to improved browser support for ES Modules, CSS @import, and import maps. Currently, users who use NPM-based CDNs won't get any hits from the OSV Scanner, despite the fact that they are using the same underlying package registry.
Since I use these CDNs for my projects, I want to ensure OSV can scan it. I'm willing to write an HTML extractor as described above, but want to gauge interest in it before I go ahead and implement it.
Out of Scope
These changes could be added later, but are not intended to be in the scope for this issue:
- CDNs which don't use the NPM registry. For example, cdnjs would not be covered as it doesn't translate 1:1 with the NPM registry
- Dedicated CDNs for libraries such as Tailwind and JQuery
- Non-JavaScript CDN usage. For example, CSS
@import statements inside .css files or <style> tags would not be covered
<script type="importmap">which point to the above CDNsRationale
No build deployments are becoming more popular due to improved browser support for ES Modules, CSS
@import, and import maps. Currently, users who use NPM-based CDNs won't get any hits from the OSV Scanner, despite the fact that they are using the same underlying package registry.Since I use these CDNs for my projects, I want to ensure OSV can scan it. I'm willing to write an HTML extractor as described above, but want to gauge interest in it before I go ahead and implement it.
Out of Scope
These changes could be added later, but are not intended to be in the scope for this issue:
@importstatements inside.cssfiles or<style>tags would not be covered