Remove external hosted JS for Monaco Editor #364
Assignees
Labels
type/bug
Something isn't working
Comments
|
This is def a problem, but I think it spans using JavaScript packages for the project in general. We need a way to distribute JavaScript packages that won't reference external sites. Currently, this is maintained by Of course, the Monaco editor could be the proof-of-concept. |
|
From an intial scan, it looks like monaco is the only affected library, but we should audit all the deps to identify the ones that load external resources at runtime |
|
Yeah, we probably need a support matrix for the Monaco Editor stuff with the React dependencies as well. We have about 1.5y worth of updates within this area. |
jesperpedersen
changed the title
This was referenced Nov 11, 2023
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Externally hosted JS are key components of UI.
For example, the JSON and code editor is based on Monaco Editor (https://github.com/Microsoft/monaco-editor) but the JS for the editor is linked to a remote host: https://cdn.jsdelivr.net/npm/monaco-editor@0.28.1/min/vs/editor/editor.main.js
All JS should be served from the Horreum webapp and not rely on externally hosted JS for functionality.
Not only is there a security concern, but the Horreum UI will not function as intended in air-gapped envs or when https://cdn.jsdelivr.net fails to serve the required JS files
The text was updated successfully, but these errors were encountered: