Will this project support polyfill-library@4 and beyond?
#4
Comments
MattIPv4
changed the title
polyfill-library@4 and beyond?polyfill-library@4 and beyond?
|
Note that the version 4.8.0 has been added to https://cdnjs.cloudflare.com/polyfill. |
|
Woah, finally, awesome, thanks so much Sven! (Odd that it's at v3/ instead of v4/, but that's of little concern.) I assume this can be closed. |
|
@xtuc I'm assuming 4.8.0 came from https://www.npmjs.com/package/polyfill-library. Is that correct? If that's correct, given that https://github.com/JakeChampion/polyfill-library/issues/1323 has not gotten a response from the maintainer, you may want to consider getting future |
Yes, correct. |
|
Thank you @xtuc 🙇
If I recall correctly:
In v4 of the library we (massive effort by @mhassan1) dropped support for IE8. Given the age of IE8 I don't even think this is breaking for those users who don't set a version string in their url.
We also took some extra measures:
https://github.com/mrhenry/polyfill-library/blob/main/CHANGELOG.md#v500 |
…rary https://github.com/Financial-Times/polyfill-library/ is now a 404. It was transferred with redirect to https://github.com/JakeChampion/polyfill-library/ but that has since been deleted. https://github.com/mrhenry/polyfill-library/ is a reasonable-looking fork that includes full history, and so this is an easy no-op to fix CI for REL1_39 and later. == Background (Extended version) == * The library was created by Andrew Betts at the Financial Times, at https://github.com/Financial-Times/polyfill-library/. * At some later point a web service was created around that library, committed to the same repo, served from a domain that has unclear ownership. https://sansec.io/research/polyfill-supply-chain-attack https://twitter.com/triblondon/status/1761852117579427975 * In 2018, JakeChampion renamed the repo to polyfill-service, and splitt off the library into a separate repo with no prior history. The pre-2018 history is preserved in the polyfill-service repo. https://github.com/mrhenry/polyfill-library/tree/acf4e6c36d0baafdd14bbc08a2d2690f0e8fcd0d https://github.com/cdnjs/polyfill-service/tree/165879244964dc8daac9222b44332629eb1dd0ac/packages * In 2022, Krinkle had a patch merged that fixed a bug affecting MediaWiki. After which, we adopted the polfill. This was merged after polyfill-library 3.111.0 was released. mrhenry/polyfill-library@0ece79ce32 * In 2023, someone transferred the "library" repo from https://github.com/Financial-Times/polyfill-library/ to https://github.com/JakeChampion/polyfill-library/. * In Feb 2024, the polyfill.io "service" appears to have been sold to a Chinese company, which subsequently utilized it to spread malicious code as part of a cyberattack. It also created its own flat single-commit copy of the library with no prior history, versioning, or other auditability. https://sansec.io/research/polyfill-supply-chain-attack https://snyk.io/blog/polyfill-supply-chain-attack-js-cdn-assets/ https://github.com/polyfillpolyfill/polyfill-library/ * Some days after 4 Aug 2024, the official "library" repo was deleted from the JakeChampion account. This means the "polyfill-library" npm package no longer has a reachable Git upstream, since its source control url (Financial-Times/polyfill-library) is now no longer a redirect to JakeChampion/polyfill-library. Both are 404. https://web.archive.org/web/%2A/https://github.com/JakeChampion/polyfill-library https://www.npmjs.com/package/polyfill-library * Fastly and Cloudflare both have their own forks with recent changes scrubbed. However, these have vendored and versioned copies of the polyfill-library library. Thus no history of these libs themselves, and do not accept patched for the actual code being served, only for the web service. They both go up to 3.111.0 (which is a few commits before the URL.js that we have, and misses critical bug fixes Krinkle submitted to Financial-Times) and after that have 4.8.0 which includes our fixes and one other minor change to URL.js. We could use that as our foreign source, but the downside is that it isn't a proper upstream given it's merely a distribution, not open to patches or bug reports. Their source is the npm package, which has now dead/frozen. https://github.com/fastly/polyfill-service/ https://github.com/cdnjs/polyfill-service/ * Of the various polyfill-library forks, only one seems to meet these criteria: - Includes full history. - Published to npm. - Responsive to bug reports and made subsequent releases. https://github.com/mrhenry/polyfill-library/ cdnjs/polyfill-service#4 So, for now, given that this is a no-op, use that as our remote. Change-Id: Ia59a5e9790cbdc7b03d4ae66583fe328fbd05f53
What
The original
polyfill-servicerepository has many requests for missing polyfills; for example, polyfillpolyfill#2756, polyfillpolyfill#2744, and polyfillpolyfill#2734. All of the requested polyfills are available inpolyfill-library@4.Because this repository vendors the polyfills inside the
polyfill-librariesdirectory, it is unclear where they came from and whether they will get updated.Will this repository ever get additional polyfills from
polyfill-library@4and beyond? If so, which repository will those polyfills come from? See related conversation at https://github.com/JakeChampion/polyfill-library/issues/1323.The text was updated successfully, but these errors were encountered: