remove references to polyfill.io #703
Conversation
|
Thank you for flagging this, greatly appreciated! |
|
Thank you for the quick merge, appreciate it! |
|
pdoc 14.5.1 is out. Advisory is at GHSA-5vgj-ggm4-fg62, I've requested a CVE from GitHub. Thank you again for the report! I will now do some digging how this made it in the in the first place. I typically avoid CDNs where possible, but I vaguely recall that this was tricky with MathJax. |
|
After doing some more digging, we included polyfill.io here because that is what's recommended on https://www.mathjax.org/#gettingstarted. I've flagged the latest developments at mathjax/MathJax-docs#334. We're still using jsdelivr for MathJax and Mermaid diagrams if those features are enabled (they are off by default). I'm much less worried about jsdelivr, but we should take a look again if there is a good way for us to embed both of them into pdoc without massively bloating our output. |
|
@adhintz: I've credited you for reporting this over at GHSA-5vgj-ggm4-fg62. There's probably a button for you somewhere to accept that. Thank you again! 🍰 |
The polyfill.io website has been reported to serve malicious code. (reference and GitHub issue)
I do not think there is a need for these es6 polyfills because es6 has been supported in browsers for the past 9 years.