Because since it wasn't made by a big multibillion corporation, it is inherently unsafe, like every other thing not made by big multibillion corporations.
Only big money can be trusted.
(i'm obviously not serious here, but i do find it sad how people are fine trusting projects by FAANG, Microsoft, IBM and others of similar scale but once something is made by someone with a human face it suddenly is a problem unless it is a toy)
Because single humans are busy, get bored, get distracted, stop wanting to maintain servers, stop wanting to pay for servers etc..
If the product was released by some self-sustaining entity like a business, foundation or otherwise bankrolled and staffed by parties with an interest in keeping it up then it would be much less of an issue.
The value in almost all software is the maintenance. React being good software is one thing, but what makes it so attractive is that Facebook and (and these days many others) have a financial interest in keeping it maintained.
Security note: Please remember that, while this is a great idea, it’s also an excellent platform for causing havoc such as phishing if the operator’s account is ever hacked or turns malicious. For demo purposes it’s obviously fine but do not make this live without hosting your own, or consider the risk of it sending users to e.g. “glthub.com” someday.
How is this any different from hotlinking an image? I don't understand the security risk here? If a bad actor gets control of the domain all they can do is change the svg that you render.
I suppose you could parse that SVG in an insecure way (if for some reason you were parsing it) but that's not a problem with using the service.
The link to the github repo is located in the code you paste on your own website, so you already host that part yourself. The only thing someone could change if the account is hacked is the contents of the image.
If gh-card.dev ever changes, you might find javascript being injected via the SVG instead of it just being an image. That's what the GP is alluding to, and recommending you host the gh-card code yourself rather than using their hosted instance.
It’s turtles all the way down. The point here is that people don’t consider third-party content inclusion to be more of a risk than “completely harmless”, which is generally false: the risk may or may not be slight, but it’s never non-zero.
And to follow up specifically to the npm modules, if you're self hosted, you can (but probably wont) audit the contents of what's been deployed when you deploy. You can then also keep that snapshot frozen in time, so you wont necessarily be impacted by any changes to those modules in future.
If you're using the hosted version, you have no idea whether or not the modules are being updated, which versions are in use, etc.
Having control of your environment gives you the opportunity to be more (or even less) secure. It's important to fully understand the risk / potential harm that outsourcing that responsibility to random persons can have.
Ahh, I see what you mean. You're right, so the card server does have a purpose.
Hmm, perhaps the SVG can be regenerated on the server-side during a build step or static site generation. That might remove the dependency at least on the client side.
I was thinking of doing something similar with auto-generated SVG files for open graph images. Does anyone know if FB/Twitter etc support SVG images for open graph content?
