I think it’s extremely important that apps disclose the libraries they are using in the App store, as someone who builds websites for clients and run my own store it’s important to know which libraries an app is using so that I can be certain there will be no issues, or unnecessary libraries that could negatively impact performance and security.
The main issue I’ve noticed is apps using jquery. I found 2 apps using this and both used a version older than v1.13 which is from 2016 with many security vulnerabilities.
We have another app that was running jquery 1.11 until I mentioned the issues with that library to their developers and they updated to 2.2.4, however that also is flagged as medium risk by lighthouse. We spent a lot of time integrating this app into the store assuming that they wouldn’t be using jquery, if they decide not to convert their code to vanilla javascript we will have to do that work again with another app.
I think it should be a requirement of apps to use either a specific set of Shopify approved libraries hosted on Shopify’s CDN, or to disclose all the libraries used by the app so that users can know of any libraries used before installing the app.
