>Can checksums/hashes be specified directly in the source file?
That would defeat their point actually :D malicious attacker could inject any script by hacking on the network and replace modules that are downloaded through http
How? Say I have `script.ts`. That file exists locally on my computer and the code inside it is trusted (say it was downloaded from a trusted github project via https). It contains
import { dependency } from 'http://whatever.url/@1.0.3'
with hash '6f09aa686a6263f9e992'
or something like that. If an attacker replaces stuff during transfer of the dependency, then the hash won't match (assuming a collision resistant hash function). This can be transitive if the dependency also has hashes of its dependencies directly inside it (and a "only allow that" mode could enforce it).
The additional benefit is that you also don't need to trust the server to not replace code for a URL under your nose from one you have previously verified. So like a lockfile, but without needing to download a separate file (because you also want verification on the first run) and a command-line argument on launch - which makes it a much more viable replacement for bash scripts (in fact, that's why I care about the ability, I wouldn't mind https-only). Am I missing something here?
there are a lot of issues with using a non secure protocol to do anything over the internet, actually someone summarized the issue on the Deno issue tracker.
According to them, confidentiality is also a risk. also someone could also send you garbage that would polute the memory of deno until it explode.
That would defeat their point actually :D malicious attacker could inject any script by hacking on the network and replace modules that are downloaded through http