The Linux Foundation's "sigstore" project

I disagree on the risks of running arbitrary JavaScript being increased by its nonfree status.

I'm not denying that security holes to exploit exist: there are 0-days in Chrome and other browsers. However, they are rare, of the level that implies nation-state actors, and require long, delicate chains. But my experience with The Great Suspender (see https://lwn.net/Articles/846272/ ) shows that making sure to run open-source code doesn't prevent you from running hostile code..

TGS was a fully open-source extension with 2 million users. A dozen red flags were thrown (new maintainer, from outside the community, with no details of their existence, who never announces their presence, is said to have "purchased" the extension, makes a surprise release, doesn't put out a changelog, doesn't tag the release, includes code in release not on Github, requests additional permissions in release, and has dubious reasons for said permissions).

After three months, there was almost no change in the number of users.

The javascript library in question is open-source, as others have pointed out: while it is minified, that is to speed pageloads and is standard on the web. But that doesn't mean it's innocent. A reproducible build stack doesn't mean that the source code doesn't exploit a 0day. Even if it was distributed unminified, there is no way to know where a 0day may exist: reliably differentiating an unusual style choice from a sandbox compromise can't be done without running the code and carefully monitoring the executor.

Any time you run javascript from the internet, you are risking falling victim to 0days: regardless of if it's open-source or not, distributed minified or unminified. If that concerns you, install NoScript. If you still want SOME scripts, use LocalCDN and uBlock Origin in 'hard' mode. But know that while both of those extensions are fully open-source, either one has all the power it needs to compromise the entirety of your browsing activity.

We can debate the necessity of the site including any JavaScript on this site separately. But there is no way to run remote JavaScript (of ANY sort) securely without trusting that web browser sandbox is resilient. There is furthermore no way to be certain that the techniques you use to prevent JavaScript from running are themselves malicious. At some point, you need to draw the line of trust: drawing the line where minified open-source javascript is on one side and unminifed open-source code isn't is not a good place.