Is this package malware? #20
Comments
|
It’s the compressed (customs format) utf-8 data for ENS normalization. :) |
I can add comments to those blobs however I'm not sure if the The base64-encoded payloads are built by src/make.js. From my tests, this technique beats gzip even with the overhead of including the decompressor. I can add checksum hashes to each for extra assurance. I've looked at a lot of Unicode-related libraries and nearly all of them include magic files and exotic build scripts. They're also very fragile in the sense they're almost impossible to safely tweak. This project is both end-to-end and designed for easy experimentation. If you clone the repo, you should be able to derive the entire spec and build the library, starting from the raw ingredients (Unicode files + ENS Rules) by following the readme instructions . Clone-to-built should take less than a minute. You can even go a step further, delete the Unicode data, and download it yourself. A fresh build should reproduce the spec hash found in my build. The build process also embeds all of the source information in src/include-versions.js. |
Yes, they are. I audit code. I did not download your repo. I downloaded ethers, non-minified. I see this base64 stuff that's impossible to decrypt without spending a few hours. It definitely feels like malware. So, again, the comments are needed and they would help. What is the specific build size win you're getting from this technique?
This could help, but the comments are still needed, with detailed steps on how to reproduce it, links to README, etc. |
|
Yes, that's much better. |
|
These changes went live in 1.9.4 |
Probably not, but why are you having this code?
This looks very similar to something malware would do. There are no comments or a description of this code.
If this is not malware, you should really add some comments.
The text was updated successfully, but these errors were encountered: