I’ve recently uploaded an update to my addon and it got auto-approved by the addon validation.
Unfortunately it was removed from AMO just a few hours later because one of the included libraries didn’t match any known hash values (my IDE replaced all Unix newlines LF with Windows newlines CR+LF…).
It would be really helpful if the automated addon validation would display a warning about mismatching/unknown hashes.
From a security perspective it might even be considered to block such addons from automated approval.
All right, if we include a library with <script src="jquery.js"></script>, the validator can check the library hash of the jquery.js file to see if it’s an authorized version.
But what if, like i do for my extension, the libraries are included with a tool like webpack (or browserify) to create a unique bundle file containing all the libraries. Checking whether each individual included library matches the allowed hashes gets more complex, if possible at all.
I presume it has to be done from the source code that is to be provided along with the add-on binary.
If a policy/process is to be defined/updated regarding this, it should take into account this bundling method as it is getting more and more popular for web developments.
They would fail the validation and get rejected on post review.
It is not feasible to unpack 100s of thousands lines of minified code and check line by line and that is the reason compiled libraries have always been rejected.
I often see JS files that are 3+mb. Besides the poor performance, they are not feasible for review. They also often include a massive amount of useless code, that are added by the framework.
I would recommend not bundling libs with webpack whenever possible. This means just loading the lib like normal and using externals to then make them available as modules in your webpack bundle.
