We have some exciting stuff here.
Use in code snippets
EDIT: hmm... we don't actually show the contents of ScriptElements anywhere. So no need to do this yet.
Audit for presence of source maps
We shouldn't expect every JS script for a site to have a source map, but the main scripts of a page should. Example - GTM isn't gonna include a source map, and even if it did we wouldn't find anything useful to report to the user, so we certainly shouldn't complain about it missing there.
We could just look at same-origin scripts, but that misses out of the whole world of people using CDNs.
How should we surface prompts to include source maps, and how should we narrow it to just scripts that are actually interesting to us? To score, or not to score?
Bundle
Use bundle-buddy on scripts with source maps + source contents.
Audit for vulnerable packages
We can't hope to determine the package version from a bundle, but we can at least surface if an entire package is marked vulnerable by Snyk. Are there enough packages 100% vulnerable to bother with this?
What if we publish a Webpack module that injected that information into a bundle? intensifies audacity what if the source map spec included package version information?
We have some exciting stuff here.
unused-javascript(core(unused-javascript): augment with source maps #10090)Use in code snippets
EDIT: hmm... we don't actually show the contents of
ScriptElementsanywhere. So no need to do this yet.Audit for presence of source maps
We shouldn't expect every JS script for a site to have a source map, but the main scripts of a page should. Example - GTM isn't gonna include a source map, and even if it did we wouldn't find anything useful to report to the user, so we certainly shouldn't complain about it missing there.
We could just look at same-origin scripts, but that misses out of the whole world of people using CDNs.
How should we surface prompts to include source maps, and how should we narrow it to just scripts that are actually interesting to us? To score, or not to score?
Bundle
Use
bundle-buddyon scripts with source maps + source contents.Audit for vulnerable packages
We can't hope to determine the package version from a bundle, but we can at least surface if an entire package is marked vulnerable by Snyk. Are there enough packages 100% vulnerable to bother with this?
What if we publish a Webpack module that injected that information into a bundle? intensifies audacity what if the source map spec included package version information?