What
mm web requires outbound network to cdnjs.cloudflare.com and
cdn.jsdelivr.net to render the Web UI and the API docs. In offline /
firewalled / air-gapped environments — a fairly common deployment for a
local memory tool — code highlighting, markdown rendering, HTML
sanitization, and the Swagger UI all degrade or break.
Concrete dependencies
Web UI (packages/memtomem/src/memtomem/web/static/index.html):
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/.../prism-tomorrow.min.css" />
<script src="https://cdnjs.cloudflare.com/.../purify.min.js"></script>
<script src="https://cdnjs.cloudflare.com/.../marked.min.js"></script>
<script src="https://cdnjs.cloudflare.com/.../prism.min.js"></script>
<script src=".../prism-python.min.js"></script>
<script src=".../prism-typescript.min.js"></script>
<script src=".../prism-json.min.js"></script>
<script src=".../prism-bash.min.js"></script>
<script src=".../prism-yaml.min.js"></script>
User-visible breakage when blocked:
- DOMPurify missing → markdown rendering falls through with no
sanitization, or breaks entirely depending on call sites.
- marked missing → markdown bodies render as raw text.
- Prism missing → code blocks lose syntax highlighting.
No SRI hashes (integrity=...) are set, so cdnjs compromise is also
trust-on-first-use.
Swagger UI (packages/memtomem/src/memtomem/web/app.py:138):
This uses FastAPI's default swagger_ui_parameters, which loads
swagger-ui-bundle.js and swagger-ui.css from cdn.jsdelivr.net.
Offline → broken docs page.
Suggested directions
Two independent decisions:
-
Web UI assets — vendor a fixed-version copy under
packages/memtomem/src/memtomem/web/static/vendor/ and point the
<script>/<link> tags at /vendor/.... Adds ~200KB to the package
(DOMPurify ~22KB, marked ~40KB, Prism core+5 langs ~30KB minified). PR
would need a THIRD_PARTY_LICENSES entry per dependency.
-
Swagger UI assets — override the default /api/docs route with
get_swagger_ui_html() and bundled local copies, or accept jsdelivr as
a known dev-time dependency and document the limitation. API docs are
developer-facing, so this is less urgent than the Web UI fix.
A weaker alternative is to keep the CDN refs but add SRI hashes + a
onerror graceful fallback (e.g. plain <pre> rendering when Prism
fails to load). That's smaller but doesn't fix the offline case.
Severity
Low to medium depending on deployment. Default mm web on a workstation
with internet works fine. Offline / corporate-firewall users hit it
immediately and silently — the SPA loads, but markdown/code rendering
degrades without a clear error.
Related: 1st-pass review item, paired with the Swagger CDN finding from
the 2nd-pass review.
What
mm webrequires outbound network tocdnjs.cloudflare.comandcdn.jsdelivr.netto render the Web UI and the API docs. In offline /firewalled / air-gapped environments — a fairly common deployment for a
local memory tool — code highlighting, markdown rendering, HTML
sanitization, and the Swagger UI all degrade or break.
Concrete dependencies
Web UI (
packages/memtomem/src/memtomem/web/static/index.html):User-visible breakage when blocked:
sanitization, or breaks entirely depending on call sites.
No SRI hashes (
integrity=...) are set, so cdnjs compromise is alsotrust-on-first-use.
Swagger UI (
packages/memtomem/src/memtomem/web/app.py:138):This uses FastAPI's default
swagger_ui_parameters, which loadsswagger-ui-bundle.jsandswagger-ui.cssfromcdn.jsdelivr.net.Offline → broken docs page.
Suggested directions
Two independent decisions:
Web UI assets — vendor a fixed-version copy under
packages/memtomem/src/memtomem/web/static/vendor/and point the<script>/<link>tags at/vendor/.... Adds ~200KB to the package(DOMPurify ~22KB, marked ~40KB, Prism core+5 langs ~30KB minified). PR
would need a
THIRD_PARTY_LICENSESentry per dependency.Swagger UI assets — override the default
/api/docsroute withget_swagger_ui_html()and bundled local copies, or accept jsdelivr asa known dev-time dependency and document the limitation. API docs are
developer-facing, so this is less urgent than the Web UI fix.
A weaker alternative is to keep the CDN refs but add SRI hashes + a
onerrorgraceful fallback (e.g. plain<pre>rendering when Prismfails to load). That's smaller but doesn't fix the offline case.
Severity
Low to medium depending on deployment. Default
mm webon a workstationwith internet works fine. Offline / corporate-firewall users hit it
immediately and silently — the SPA loads, but markdown/code rendering
degrades without a clear error.
Related: 1st-pass review item, paired with the Swagger CDN finding from
the 2nd-pass review.