Skip to content

Browser-compatible version #721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lsd-cat opened this issue Jun 26, 2024 · 5 comments
Open

Browser-compatible version #721

lsd-cat opened this issue Jun 26, 2024 · 5 comments

Comments

@lsd-cat
Copy link

lsd-cat commented Jun 26, 2024

As part of my work on sigstore/sigstore-js#1195, I would like to port at least a subset of the functionality of this package to work in a browser natively. Of course, some compromises have to be made, namely the only way to make external requests is fetch() and it is not possible to have local filesystem access. I can implement caches anyway through in any of the storage methods offered for plugins.

I will keep updates here of my result, and eventually I'd be happy to contribute back anything that could be useful.
@GauBen
Copy link

GauBen commented Apr 4, 2025
edited
Loading

The massive dependency tree of make-fetch-happen is also a blocker to bring provenance to Yarn: yarnpkg/berry#6750

#849 has been open for a while, maybe a less violent breaking change is turning tuf-js into a BYOF (bring your own fetch) library. It would allow consumers to choose between make-fetch-happen, globalThis.fetch, undici, node-fetch...

Can I be of any help?

@lsd-cat
Copy link
Author

lsd-cat commented Apr 4, 2025

I gave up with the porting efforts and ended up writing a minimal client implementation that has no dependencies and is browser-native here. Though for long term sustainability, it would still probably be better to find a way to drop my custom version and use a supported client. Back then I did manage to port almost all the crypto, but then fetch and file system access were major blockers, both theoretically solvable but time intensive for somebody with no expertise in that codebase. So I think it would be useful! We are on a path to continue development there, so we might come back to attempt the port again if there are improved circumstances.

@GauBen
Copy link

GauBen commented Apr 4, 2025

Oooooh that's pretty nice! Any chance you publish it as a npm package for node usage?

Btw you have "vite-plugin-web-extension": "^4.2.0" in your dependencies

@lsd-cat
Copy link
Author

lsd-cat commented Apr 4, 2025

Oooooh that's pretty nice! Any chance you publish it as a npm package for node usage?

I would like to, and the development led to some discoveries. There's no tests and spec parts are still missing, I use it only for the Sigstore trust material updates. It was written as a research project, but it's possible that I might get to keep working on it, if that's the case, I'd say we'd look into packaging for sure!

Btw you have "vite-plugin-web-extension": "^4.2.0" in your dependencies

Oopsie, you are right, I meant no runtime dependencies, afaik that is useful to have the TypeScript types and for building, but there should not be third party code in the output file.

@arcanis
Copy link

arcanis commented Apr 4, 2025

#849 has been open for a while, maybe a less violent breaking change is turning tuf-js into a BYOF (bring your own fetch) library. It would allow consumers to chose between make-fetch-happen, globalThis.fetch, undici, node-fetch...

That'd be ideal (rather than directly using fetch, although it could be configured as the default "driver"), as for example for Yarn we have our own fetch-like function that takes the package manager network configuration into account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arcanis @GauBen @lsd-cat