on Mon Aug 17 2020
Reproducible builds, with a lockfile
Use LTS versions where you care less about bleeding edge features
Tests that assert only expected requests are sent out
Use Subresource Integrity attributes on script and link tags
<script integrity=“sha256-oqVuAP” crossorigin=“anonymous” src=“core.js”></script>
crossorigin=“anonymous” means do not send over cookies with request.
Hash value is generated from the content of file. SRI helps you to have control over the third party libraries from changing. When change happens, update the the SRI hash.