2021-03-07

CDN deployment for JS modules - missing pieces

There are multiple CDNs which support mirroring the NPM and GitHub sourced modules. They support the semantic versioning of your modules and a bit of additional services for modules owner. The services for web developers at the moment are quite limited and need to be extended in order to support modern web application development and delivery stack. 

From security point we need assurance of content genuity  which is supported by resource integrity attribute , sufficient to replicate the binary build log, cross-reference to versioned source location. 

The security scan reports from one or several vendors is essential for keeping the publicly reused code safe. Publishing security scan reports along with binaries would enable transparent review across all modules used in the page without exceptions making 100% coverage as for own content as for dependencies from 3rd parties.

Test coverage is a significant criteria  of application reliability. In the world of Web 3.0 where apps from different vendors are met on same browser page the page owner does not have any assurance on quality of service overall unless able to review test coverage for all including 3rd party code. By deploying versioned binaries on CDN along with complimentary test coverage report the web application owner and consumer will acquire ability to check and if not satisfied to eliminate/substitute unreliable versions. 

Licensing transparency.  While legal reuse and re-distribution questions are  boring and complex, publishing the licensing info along with published on CDN binaries would give ability to check whole dependencies tree on subject of (in-) compatible licensing of whole dependencies tree. That would be important for applications vendors, corporate consumers and final users who do not want to support pirating.

Developers support. When dealing with binaries it is difficult to troubleshoot the internals of published in CDN module. The source map could be published on CDN next to binaries to help the development community and clients who are willing to troubleshoot themselves.  The original source version is also a subject to be mirrored on CDN.

Build stack with target of CDN publishing would eliminate the need for keeping dependencies in bundles making the build lighting fast as dependencies and own code which already published on CDN does not need to be recompiled/verified/published.

My goal is to support above features and make given stack available for applications developers.

Cross-posted on Patreon