> And hoping it includes all the java it needs, and doesn't go out and pick up some 3rd party library?
What Java? It's a self-contained, monolithic HTML file with JS and CSS inline. What dependency are you imagining you're not going to have?
> You would have to audit it to ensure it never includes everything else, or posts anything externally with every release.
Exactly as you would with KeePass, or any other conceivable solution. If you don't want to audit future releases, save the last one you audited and use that.
Don't forget to audit your browser (the thing without a version number anymore and with various metatemplates and it dynamically downloads on every load) and it's implementation of ECMAScript. But everyone already knew that.
By that logic, you can't know KeePass is safe without auditing Mono, your compiler, your checksum tool, the editor you used for the audit, the logic gates of your CPU, etc. Auditing anything is impossible.
If you can't get a copy of Firefox that you trust hasn't been altered as part of a conspiracy to make you believe OneShallPass is a legit password manager, you've got bigger problems.
What Java? It's a self-contained, monolithic HTML file with JS and CSS inline. What dependency are you imagining you're not going to have?
> You would have to audit it to ensure it never includes everything else, or posts anything externally with every release.
Exactly as you would with KeePass, or any other conceivable solution. If you don't want to audit future releases, save the last one you audited and use that.