polyfill.io supply chain

[vostrik]

Should we discuss the situation around polyfill.io?

Subj: https://www.sonatype.com/blog/polyfill.io-supply-chain-attack-hits-100000-websites-all-you-need-to-know

Background: https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk

Potential npm packages which inject this code in runtime:

1. https://github.com/search?q=polyfill.io+language%3ATypeScript+&type=code
2. https://github.com/search?q=polyfill.io+language%3AJavaScript+&type=code

What I personally think: maybe we should try to suspend from Node.js community side new owners at GitHub as potentially malicious distributor. It looks like the new owners are deleting all issues related to the situation:

1. https://web.archive.org/web/20240229113710/https://github.com/polyfillpolyfill/polyfill-service/issues/2834
2. https://github.com/polyfillpolyfill/polyfill-service/issues/2834

[wesleytodd]

This group really doesn't have any purview into this kind of issue. The only thing I think we could do is help elevate the message that using 3rd party CDN's, no matter the reasoning, is a security risk and should be avoided. Same goes for things loaded from https imports in esm, if you load from a 3rd party that is a security risk you need to understand before doing it.

[ljharb]

I agree - this is an application concern, not a package concern.

It's also worth noting that "host your own assets" has been a widely spread best practice for over a decade (as is not deploying directly from the public npm registry).