Vendor Admin Interface Assets into Gem #497
Description
The Stoplight admin interface currently serves static assets (JavaScript, CSS, etc.) from external CDN sources. This introduces an external dependency and increases the attack surface of applications using Stoplight's admin functionality.
- Assets loaded from third-party CDNs (e.g., cdnjs.cloudflare.com, unpkg.com)
- Requires outbound network access to CDN endpoints
- Vulnerable to supply chain attacks if CDN is compromised
- Potential privacy concerns (CDN tracking, IP logging)
- Admin interface breaks if CDN is unavailable or blocked by corporate firewall
Proposed Solution
Vendor all admin interface assets directly into the gem:
lib/stoplight/
admin/
assets/
admin.css
admin.js
vendor/
[vendored libraries]
Serve assets using Rack or similar middleware from the gem's filesystem rather than CDN URLs.
Acceptance Criteria
- All external CDN references removed from admin HTML templates
- Assets bundled into gem and served from local paths
- Admin interface fully functional without internet connectivityl)
- No breaking changes to admin interface functionality
Potential Concerns
Gem Size
Vendoring may increase gem size by 500KB-2MB depending on assets
-> Use minified versions, consider gzip serving
License Compatibility
Ensure all vendored libraries compatible with Stoplight's license
-> Audit licenses before bundling
Manual updates needed when asset libraries release security patches
-> Document versions, can we set up dependabot for tracking?
Cache Busting
Need versioned asset URLs for browser caching
-> Add version/hash to asset paths: /assets/admin-#{VERSION}.js