The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed (archive here) from the Github repository.
nah. over 100k sites ignored dependency risks, even after the original owners warned them this exact thing would happen.
the real story is 100k sites not being run appropriately.
deleted by creator
I’m stealing this phrase
deleted by creator
One place I worked at recently was still using Node version 8. Running
npm installwould give me a mini heart attack… Like 400+ critical vulnerabilities, it was several thousand vulnerabilities all around.After the first 100, the other 300 kinda don’t matter.
If you’re on RHEL 8+, you can install the latest version of node with dnf.
dnf install nodejswill likely install node 8 :(. Usednf module install nodejs:20to install the latest version.Same as it ever was. Same as it ever was. Same as it ever was.
Yeah this is just capitalistic business in general. Don’t do anything proactive if it might reduce the bottom line in the short term. Blame others and beg for help when you weren’t proactive. Succeed singularly, fail collectively
You just described my coworker…
Described every corporation ever incorporated.
This isn’t holding up, time isn’t after us.
JS: typing systems are boring, warnings are boring, security is boring.
Sure, the package managers of other languages are super safe
You’re confused. It’s unrelated to package managers, it’s about basic security principles like this: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity but JS devs don’t care.
Finding new ways webshits fuck up the most basic development principles boggles my mind. It’s like they intentionally stay ignorant.
We know, but we don’t have time to change. We have another site waiting to get slammed out as soon as the one we’re working on, which was underfunded with a ridiculous timeline goes live.
There’s still a fair bit of “my nephew makes websites, it can’t be that [hard, expensive, time consuming], oh and by the way, e we need a way to edit every word and image on the site, that both our intern and barely literate CEO can understand, even though we’re literally never going to edit anything ever.”
They’re widely variable. PyPI gets into about as much trouble as npm, but I haven’t heard of a successful attack on CPAN in years (although that may be because no one cares about Perl anymore).
deleted by creator
I don’t think we have to choose. “Maintain your websites so you don’t get taken advantage of” and “Here’s an example of a major-world-power-affiliated group exploting that thing you didn’t do” are both pretty important stories.
I mean, both are true? It’s not a manipulative headline in my opinion.
The malware thing still deserves a headline. They just argue it’s stupid so many even have to use the library to begin with.
Have to use? No one has to use any library. It’s convenience, and in this case it’s literally so they don’t have to write code for older browser versions.
The issue here isn’t that anyone has to use it, it’s the way it was used that is the problem. Directly linking to the current version of the code hosted by a third party instead of hosting a copy yourself.
Probably at your local asian gay bar.