Skip to content

Remove polyfill from hours plugin #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 3, 2024
Merged

Remove polyfill from hours plugin #153

merged 2 commits into from
Jul 3, 2024

Conversation

matt-bernhardt
Copy link
Member

@matt-bernhardt matt-bernhardt commented Jul 3, 2024
edited by JPrevost
Loading

This removes the Polyfill javascript library from our hours plugin, and updates the Sentry plugin which also could have loaded the script which is now subject to a supply chain attack.

Confirmation that this works should be that you no longer see the network loading a script from the compromised domain.

Developer

Stylesheets

  • Any theme or plugin whose stylesheets have changed has had its version
    string incremented.

Secrets

  • All new secrets have been added to Pantheon tiers
  • Relevant secrets have been updated in Github Actions
  • All new secrets documented in README
  • No secrets are affected

Documentation

  • Project documentation has been updated
  • No documentation changes are needed

Accessibility

  • ANDI or Wave has been run in accordance to
    our guide and
    all issues introduced by these changes have been resolved or opened as new
    issues (link to those issues in the Pull Request details above)

Stakeholder approval

  • Stakeholder approval has been confirmed
  • Stakeholder approval is not needed

Dependencies

YES dependencies are updated

Code Reviewer

https://mitlibraries.atlassian.net/browse/PW-99

  • The commit message is clear and follows our guidelines
    (not just this pull request message)
  • The changes have been verified
  • The documentation has been updated or is unnecessary
  • New dependencies are appropriate or there were no changes

@matt-bernhardt matt-bernhardt marked this pull request as ready for review July 3, 2024 14:39
@matt-bernhardt
Copy link
Member Author

I'm putting this into code review now to expedite the process, but am also checking with Darcy about whether anyone in UX wants to take a look at this before it merges. I've checked the hours displays that we're using, and confirmed that they're all still loading information:

  • Main hours grid
  • Network homepage
  • Location page
  • Distinctive Collections sidebar

@matt-bernhardt
Remove polyfill from hours plugin
04852b2 
** Why are these changes being introduced:

* The javascript used by our hours intergration had used Polyfill as
  part of its architecture, going back many years. Unfortunately that
  has been the subject of a supply chain attack, and needs to be
  removed.

** Relevant ticket(s):

* https://mitlibraries.atlassian.net/browse/pw-99

** How does this address that need:

* This removes the Polyfill library from our hours library, which
  prevents anyone from loading the compromised script.

** Document any side effects to this change:

* None - testing shows that the front end hours displays are all
  still functioning. The administrative process of refreshing the
  local cache is written in PHP, so it shouldn't be affected by this
  change.
@matt-bernhardt
Update Sentry plugin to get past polyfill vulnerability
dca11da
@JPrevost JPrevost self-assigned this Jul 3, 2024
@matt-bernhardt matt-bernhardt merged commit ce2ede0 into master Jul 3, 2024
@matt-bernhardt matt-bernhardt deleted the pw-99 branch July 3, 2024 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JPrevost JPrevost JPrevost approved these changes

@jazairi jazairi Awaiting requested review from jazairi

Assignees

@JPrevost JPrevost

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matt-bernhardt @JPrevost