Insecure 3rd party dependency

[behnle]

Dear NOMAD developers, while trying to hunt down another issue, i realized that my NOMAD Oasis tries to pull in js code from polyfill.io. This site has recently been used for a supply-chain attack, see e.g.: https://www.golem.de/news/angriff-via-polyfill-io-ueber-100-000-webseiten-verbreiten-ploetzlich-malware-2406-186452.html Please get rid of this and other insecure or potentially dangerous 3rd party dependencies ASAP. As the one responsible for our Oasis, i don't want to be held accountable for distributing malware to my users. If you think that such code is needed, please bundle it with the other distributed source. NOMAD version: 1.3.3

[lauri-codes]

Hi @behnle!

Thank you for bringing this up. We have actually already removed the polyfill dependency in this commit a few weeks ago. This change will be part of the release 1.3.4. I cannot yet promise when an official release for this version will be made, but it should not be too far away.

[behnle]

Sounds good. In view of these issues, all other third-party dependencies should also be critically evaluated. Is there a rough schedule for the release of NOMAD 1.3.4 (days/weeks/months)?

[lauri-codes]

I think we will release it within a month, I can keep you updated through this issue.

[lauri-codes]

The image for 1.3.4 is now available. You can start using it by specifying it in your docker-compose file with the name nomad-fair:v1.3.4. The nomad-fair:latest will still point to 1.3.3 for a while.

[behnle]

Thanks for the new image. The defunct polyfill dependency is indeed gone. jsdelivr and unpkg are now the last remaining 3rd party dependencies at least concerning the start page. These are big CDNs and probably less prone to supply chain attacks, but i'd enjoy to see them being gone, too :-)

[lauri-codes]

Thanks for confirming. I think we will not yet want to drop all of the CDNs, but if we keep hearing that it is a security concern for several Oasis installations, then it is definitely something to consider.