Not to mention the (apparently not obvious?) option of detaching review- and release versions. We still look at the diff of latest versions of dependencies before they reach our codebase. That seems like the most responsible.
Besides, why stop there? Everyone installing packaged builds from NPM are already freeriding from those installing sources straight from Github releases. smh
At least for now. Tried many browsers and Mullvad Browser and Konform Browser are the only two that I managed to beat them with. They both enforce bundled set of fonts like Tor Browser. Firefox and other forks are fingerprintable via variations in font rendering due to system fontconf or fonts differing.
Firefox uses randomised IDs for installed extensions, so the method highlighted won't work on Firefox. That's not to say they aren't trying other methods on Firefox.
Or those people can (fund) separate repackaging and redistribution with more stringent and formalized review process.
Maybe not all users should pull all packages straight from what devs are pushing.
There's no reason we can't have "node package distributions" like we have Linux distributions. Maybe we should stop expecting devs and maintainers and Microsoft to take responsibility for our supply-chain.
Not to mention the (apparently not obvious?) option of detaching review- and release versions. We still look at the diff of latest versions of dependencies before they reach our codebase. That seems like the most responsible.
Besides, why stop there? Everyone installing packaged builds from NPM are already freeriding from those installing sources straight from Github releases. smh
reply