Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace links to polyfill.io in comments on support/v3.x branch #5106

Open
1 task
Tracked by #3574
romaricpascal opened this issue Jun 27, 2024 · 1 comment
Open
1 task
Tracked by #3574

Replace links to polyfill.io in comments on support/v3.x branch #5106

romaricpascal opened this issue Jun 27, 2024 · 1 comment
Labels
small story

Comments

@romaricpascal
Copy link
Member

What

On the support/3.x branch, replace links to the polyfill.io website in the comments of our vendored polyfills with the following note at the top of the file:

/**
 * NOTE
 * 
 * These polyfills were generated using polyfill.io, which was reported as compromised on 25th June 2024.
 * 
 * We generated this code well before the compromise, and it is free of malicious code.
 * However, we recommend checking any polyfills you have generated in a similar way.
 */

Why

polyfill.io was reported as compromised on 25th June 2024. While our code doesn't load scripts directly from the live service, the polyfills in govuk-frontend had been extracted from this service while it was free of malicious code. These extracts have comments pointing to the polyfill.io website, which would lead our users to a malicious site.

Who needs to work on this

Developers

Who needs to review this

Developers

Done when

  • Comments linking to polyfill.io in our polyfills have been removed in favour of a generic note.
@romaricpascal romaricpascal moved this to Backlog 🏃🏼‍♀️ in GOV.UK Design System cycle board Jun 27, 2024
@romaricpascal romaricpascal mentioned this issue Jun 27, 2024
Open
@domoscargin
Copy link
Contributor

See #5127 for 4.x - we can probably lift and shift from there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
small story
Projects
GOV.UK Design System cycle board
Status: Backlog 🏃🏼‍♀️
Milestone
No milestone
Development

No branches or pull requests
2 participants
@romaricpascal @domoscargin