Re: Security concerns with minified javascript code

[Pau Garcia i Quiles <pgquiles@elpauer.org>]

On Fri, Aug 28, 2015 at 4:12 PM, Jean-Michel Vourgère <nirgal@debian.org> wrote:

Vincent Bernat wrote:
> (...)
> It has already been said numerous time in the past, for some _javascript_
> code, we don't really have the tools in Debian to easily go from the
> source to the minified version. It's possible, but without the
> appropriate tools, it's painful.

I've been using yui-compressor to get the minified _javascript_.

I never add any issue this it.

Now if you are talking about generating one big _javascript_ file
containing different fragments in the correct order, that's another
story. But that last issue is not really related to minified js. You can
compress the _javascript_ either before or after yui.

I have experienced trouble with minifying _javascript_ code in my package witty.

Upstream uses uglifyjs to minify, so do I where it's available.

But on some platforms, uglifyjs is not available due to missing nodejs (which is in turn due to missing V8 on some platforms). That forces me to use yui-compressor, which is untested by upstream, and may introduce hard-to-find bugs:

https://sources.debian.net/src/witty/3.3.4%2Bdfsg-2/debian/rules/

### _javascript_ minifier

# Use UglifyJS (what upstream uses) where available,
# yui-compressor (what upstream used in the past) where there is no UglifyJS

MINIFIER=$(shell which uglifyjs)
ifneq ($(MINIFIER),)
  IS_UGLIFY2=$(shell grep -E '"version": "2\.[0-9]+\.[0-9]+"' /usr/lib/nodejs/uglify-js/package.json)
  ifeq ($(IS_UGLIFY2),)
    # Legacy: uglifyjs < 2.x
    MINIFIER_FLAGS=-c --no-seqs -nc    
  else
    # uglifyjs >= 2.x
    MINIFIER_FLAGS=-c sequences=false
  endif
else
  MINIFIER=/usr/bin/yui-compressor
  MINIFIER_FLAGS=--nomunge
endif

--

Pau Garcia i Quiles
http://www.elpauer.org
(Due to my workload, I may need 10 days to answer)