[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

 ❦  1 septembre 2015 13:45 -0500, Gunnar Wolf <gwolf@gwolf.org> :

>> uglifyjs is a KISS tool to minify. Unfortunately, many projects do not
>> require only minification. They require transpiling (convert from ES6 to
>> ES5 or from CoffeeScript/Typescript/... to vanilla JS) and dependency
>> handling (through loaders). And this is becoming more and more common
>> because people want to use ES6 or some more modern JS.
> ...If so, they should be properly labeled and treated as something
> different. "Transpiling" effectively means "compiling", and we know
> what requirements we have with code in order to accept it compiled: We
> need to have the sources as well. Nobody will argue that we don't have
> to ship sources for binaries on ARM platforms because ARM has enough
> registers so that compiled objects are as good as source.

The term transpiling is used because it is mostly a matter of tweaking a
bit the syntax (ES6 has an arrow function syntax not present in ES5) and
inserting polyfills. See for example the future version of jQuery
written with ES6 but transpiled to ES5:


Unlike ARM binary, this is still Javascript, the indentation and the
comments are still here. The variables have the exact same name. Most
people wouldn't have any problem of believing that this is the base
source code of jQuery because it looks like how jQuery would have been
written in ES5 JS (like it is with jQuery 1.x and 2.x).
Perilous to all of us are the devices of an art deeper than we ourselves
		-- Gandalf the Grey [J.R.R. Tolkien, "Lord of the

Attachment: signature.asc
Description: PGP signature

Reply to: