Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

polyfill.io supply chain #603

Open
vostrik opened this issue Jun 26, 2024 · 2 comments
Open

polyfill.io supply chain #603

vostrik opened this issue Jun 26, 2024 · 2 comments

Comments

@vostrik
Copy link
Member

vostrik commented Jun 26, 2024

Should we discuss the situation around polyfill.io?

Subj:
https://www.sonatype.com/blog/polyfill.io-supply-chain-attack-hits-100000-websites-all-you-need-to-know

Background:
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk

Potential npm packages which inject this code in runtime:

  1. https://github.com/search?q=polyfill.io+language%3ATypeScript+&type=code
  2. https://github.com/search?q=polyfill.io+language%3AJavaScript+&type=code

What I personally think: maybe we should try to suspend from Node.js community side new owners at GitHub as potentially malicious distributor.
It looks like the new owners are deleting all issues related to the situation:

  1. https://web.archive.org/web/20240229113710/https://github.com/polyfillpolyfill/polyfill-service/issues/2834
  2. https://github.com/polyfillpolyfill/polyfill-service/issues/2834
@wesleytodd
Copy link
Member

This group really doesn't have any purview into this kind of issue. The only thing I think we could do is help elevate the message that using 3rd party CDN's, no matter the reasoning, is a security risk and should be avoided. Same goes for things loaded from https imports in esm, if you load from a 3rd party that is a security risk you need to understand before doing it.

@ljharb
Copy link
Member

ljharb commented Jul 17, 2024

I agree - this is an application concern, not a package concern.

It's also worth noting that "host your own assets" has been a widely spread best practice for over a decade (as is not deploying directly from the public npm registry).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants