Experienced Devs

4597 readers

1 users here now

A community for discussion amongst professional software developers.

Posts should be relevant to those well into their careers.

For those looking to break into the industry, are hustling for their first job, or have just started their career and are looking for advice, check out:

Logo base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago

MODERATORS

snowe@programming.dev

jmk1ng@programming.dev

drewsiferr@programming.dev

Are Web Components better for Cybersecurity? (programming.dev)

submitted 2 days ago by xoron@programming.dev to c/experienced_devs@programming.dev

2 comments fedilink hide all child comments

Not to poke at React or any of the other popular frameworks, I'm sure they're suitable for Cybersecurity projects. They surely go through things like reviews and audits.

I'm asking from the perspective that web components are native to the browser and thus reducing what I think is called supply chain attacks (like if "npm install" introduces something it shouldn't).

Maybe the frameworks don't matter and depends on the browser/os/device it's run on?

Context: I have a p2p messaging app created with ReactJS and a separate project for a UI framework based on Lit. Both these projects can be a whole separate discussion. I was wondering if there could be any advantages to refactoring (or starting from scratch) the messaging-app to be based on the webcomponent ui framework.

Same question on r/ExperiencedDevs with comments here. I have an answer there, but posting here in-case anything is being overlooked.

top 2 comments

sorted by: hot top controversial new old

[–] jubilationtcornpone@sh.itjust.works 2 points 2 days ago (1 children)

The actual question I'm reading from this is "are components that I build myself more secure than those provided by a third party library?"

You should correct me if that's not what your asking.

The short answer is "probably not." You can and will introduce bugs and vulnerabilities into your own software.

The main downsides of third party libraries are that they can have dependencies that you may not know about and vulnerabilities in third party libraries mean that a given vulnerability is just as widespread as a the library that it exists in.

Most "bad actors" are opportunists so a specific vulnerability being wide spread tends to work in their favor by increasing opportunities.

That said, I wouldn't waste your time rewriting functionality that already exists in other libraries unless you have a very compelling reason for it.

[–] xoron@programming.dev 1 points 2 days ago

thanks for your thoughts.

thats not quite what im asking. im wondering if there are nuanced benefits to using webcomponents over something like react. with the key difference being the native support.

i hope with the webcomponent approach it could be "furture-proof" as it seems to be the rhetoric i hear around. im sure i wont have a great implementation any time soon, but id like to try out a few ideas to see if it holds-up. hopefully to lead to a "secure javascript ui framework" (which itself could be a whole discussion). i hope that by having it open source, i can point to an example to discuss and improve it.

it seem for the messaging app refactor, i'll be fine to use react on it. which is great because i already have a working-ish demo.