[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

Nikolaus Rath wrote:
> I don't think 28 kB vs 73 kB is a difference that people will notice
> over the network in *most* situations. Even at just 100 kB/s that's
> 0.28 vs 0.73 seconds, and only when the page is first loaded.

That's absolutely a critical difference, even on a faster connection.
Multiple studies have demonstrated that page load time matters for user
retention.  Amazon did a study that showed every ~100ms of page load
delay lost them 1% in sales.  Google found that half a second slower
load time for results pages drove off 20% of users.  Google also
prioritizes faster sites in search results.

So yes, minifiers matter.  (Hopefully WebAssembly will help in the
future, since even minified JavaScript runs through a text-based
lexing/parsing engine; compiled code could almost certainly beat it on

That said, we absolutely do need to fix this in Debian: it's not OK to
build packages in main using tools not shipped in Debian, or to ship
precompiled files.  As a start, it would help if when JavaScript folks
try to package the packages needed as part of their toolchain, they stop
getting told that their packages are too small, that they shouldn't be
packaged at all, or that they should be combined with other packages
that have different upstream sources and release cycles.

- Josh Triplett

Reply to: