Insecure 3rd party dependency #107
Comments
|
Hi @behnle! Thank you for bringing this up. We have actually already removed the polyfill dependency in this commit a few weeks ago. |
|
Sounds good. In view of these issues, all other third-party dependencies should also be critically evaluated. Is there a rough schedule for the release of NOMAD 1.3.4 (days/weeks/months)? |
|
I think we will release it within a month, I can keep you updated through this issue. |
|
The image for 1.3.4 is now available. You can start using it by specifying it in your docker-compose file with the name |
|
Thanks for the new image. The defunct polyfill dependency is indeed gone. jsdelivr and unpkg are now the last remaining 3rd party dependencies at least concerning the start page. These are big CDNs and probably less prone to supply chain attacks, but i'd enjoy to see them being gone, too :-) |
Dear NOMAD developers,
while trying to hunt down another issue, i realized that my NOMAD Oasis tries to pull in js code from polyfill.io.
This site has recently been used for a supply-chain attack, see e.g.: https://www.golem.de/news/angriff-via-polyfill-io-ueber-100-000-webseiten-verbreiten-ploetzlich-malware-2406-186452.html
Please get rid of this and other insecure or potentially dangerous 3rd party dependencies ASAP. As the one responsible for our Oasis, i don't want to be held accountable for distributing malware to my users.
If you think that such code is needed, please bundle it with the other distributed source.
NOMAD version: 1.3.3
The text was updated successfully, but these errors were encountered: