π π noUnwantedPolyfillio should be updated to only showcase replacement domainsΒ #2305
Description
Documentation URL
https://next.biomejs.dev/linter/rules/no-unwanted-polyfillio/
Description
Ref: biomejs/biome#4731
Polyfill.io was sold to a unknown company who used it to distribute malicious code via a supply chain attack. Since it was detected in Jun 2024 it's been offline after being blocked by major DNS providers.
Sources:
- https://blog.qualys.com/vulnerabilities-threat-research/2024/06/28/polyfill-io-supply-chain-attack
- https://censys.com/blog/july-2-polyfill-io-supply-chain-attack-digging-into-the-web-of-compromised-domains
- https://fossa.com/blog/polyfill-supply-chain-attack-details-fixes/
As a result the docs should only reference the replacement domains in order to:
- provide working examples (as polyfill.io is still blocked/offline)
- protect biome users against them using it in the event the domain returns
The Fastly domain is already referenced, I'd suggest including the Cloudflare one too and removing references to the original. Cloudflare is already supported in the code, so no changes are required there.
https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?version=4.8.0
Making this an issue now so it isn't lost - if no one gets a chance to update it then I'll have a crack at it soon once my time opens up a little.
Expectations
Remove references to the original polyfill.io
Code of Conduct
- I agree to follow Biome's Code of Conduct