search

live-codes / livecodes

Code Playground That Just Works!
https://livecodes.io
MIT License
785 stars 66 forks source link

polyfill.io concerns #519

Closed gapmiss closed 6 months ago

gapmiss commented 6 months ago

I've noticed (via Little Snitch firewall) that Livecodes will sometimes load javascript from pollyfill.io and recently saw this tweet from @wesbos.

CleanShot-NetNewsWire-twitter-2024-02-27-19 03 00

Also: https://github.com/polyfillpolyfill/polyfill-service/issues/2834

Is this the same polyfill that Livecodes uses? I did a search for pollyfill.io and found the script tag.

https://github.com/live-codes/livecodes/blob/367fa259da25e690a55eb37d72285d6cd30a48e7/src/livecodes/html/app.html#L198

Thank you

gapmiss commented 6 months ago

More… New options for Polyfill.io users

hatemhosny commented 6 months ago

Thank you @gapmiss for raising this.

I have also found that Cloudflare has published a fork https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk

This might be more suitable for LiveCodes since it is already hosted on Cloudflare

hatemhosny commented 2 months ago

FYI

https://sansec.io/research/polyfill-supply-chain-attack https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/