From 059b6bb5046ecdb0c2bd0159219e280f2a255596 Mon Sep 17 00:00:00 2001 From: Brett Kyle Date: Wed, 10 Jul 2024 20:47:42 +0100 Subject: [PATCH 1/2] Remove direct links to Polyfill[dot]io Removes all comments which link to Polyfill[dot]io or the defunct GitHub repo. In their place, add a README explaining the situation. Adding a note to each polyfill generates a LOAD of comments in package code, which isn't great. --- src/govuk/vendor/README.md | 7 +++++++ src/govuk/vendor/polyfills/DOMTokenList.mjs | 2 -- src/govuk/vendor/polyfills/Date/now.mjs | 2 -- src/govuk/vendor/polyfills/Document.mjs | 2 -- src/govuk/vendor/polyfills/Element.mjs | 2 -- src/govuk/vendor/polyfills/Element/prototype/classList.mjs | 2 -- src/govuk/vendor/polyfills/Element/prototype/closest.mjs | 2 -- src/govuk/vendor/polyfills/Element/prototype/dataset.mjs | 2 -- src/govuk/vendor/polyfills/Element/prototype/matches.mjs | 2 -- .../polyfills/Element/prototype/nextElementSibling.mjs | 2 -- .../polyfills/Element/prototype/previousElementSibling.mjs | 2 -- src/govuk/vendor/polyfills/Event.mjs | 2 -- src/govuk/vendor/polyfills/Function/prototype/bind.mjs | 2 -- src/govuk/vendor/polyfills/Object/defineProperty.mjs | 2 -- src/govuk/vendor/polyfills/String/prototype/trim.mjs | 2 -- src/govuk/vendor/polyfills/Window.mjs | 2 -- 16 files changed, 7 insertions(+), 30 deletions(-) create mode 100644 src/govuk/vendor/README.md diff --git a/src/govuk/vendor/README.md b/src/govuk/vendor/README.md new file mode 100644 index 0000000000..242544a476 --- /dev/null +++ b/src/govuk/vendor/README.md @@ -0,0 +1,7 @@ +# NOTE + +These polyfills were generated using polyfill.io, which was reported as compromised on 25th June 2024. + +We generated this code well before the compromise, and it is free of malicious code. + +However, we recommend checking any polyfills you have generated in a similar way. \ No newline at end of file diff --git a/src/govuk/vendor/polyfills/DOMTokenList.mjs b/src/govuk/vendor/polyfills/DOMTokenList.mjs index 015138ad7a..d051638b76 100644 --- a/src/govuk/vendor/polyfills/DOMTokenList.mjs +++ b/src/govuk/vendor/polyfills/DOMTokenList.mjs @@ -1,7 +1,6 @@ // @ts-nocheck (function (undefined) { - // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-service/master/packages/polyfill-library/polyfills/DOMTokenList/detect.js var detect = ( 'DOMTokenList' in this && (function (x) { return 'classList' in x ? !x.classList.toggle('x', false) && !x.className : true; @@ -10,7 +9,6 @@ if (detect) return - // Polyfill from https://raw.githubusercontent.com/Financial-Times/polyfill-service/master/packages/polyfill-library/polyfills/DOMTokenList/polyfill.js (function (global) { var nativeImpl = "DOMTokenList" in global && global.DOMTokenList; diff --git a/src/govuk/vendor/polyfills/Date/now.mjs b/src/govuk/vendor/polyfills/Date/now.mjs index 51bce6bf52..b83741ce68 100644 --- a/src/govuk/vendor/polyfills/Date/now.mjs +++ b/src/govuk/vendor/polyfills/Date/now.mjs @@ -1,12 +1,10 @@ // @ts-nocheck (function (undefined) { - // Detection from https://github.com/Financial-Times/polyfill-library/blob/v3.111.0/polyfills/Date/now/detect.js var detect = ('Date' in self && 'now' in self.Date && 'getTime' in self.Date.prototype) if (detect) return - // Polyfill from https://polyfill.io/v3/polyfill.js?version=3.111.0&features=Date.now&flags=always Date.now = function () { return new Date().getTime(); }; diff --git a/src/govuk/vendor/polyfills/Document.mjs b/src/govuk/vendor/polyfills/Document.mjs index 0fcf451fa6..29e0094409 100644 --- a/src/govuk/vendor/polyfills/Document.mjs +++ b/src/govuk/vendor/polyfills/Document.mjs @@ -1,12 +1,10 @@ // @ts-nocheck (function (undefined) { -// Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Document/detect.js var detect = ("Document" in this) if (detect) return -// Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Document&flags=always if ((typeof WorkerGlobalScope === "undefined") && (typeof importScripts !== "function")) { if (this.HTMLDocument) { // IE8 diff --git a/src/govuk/vendor/polyfills/Element.mjs b/src/govuk/vendor/polyfills/Element.mjs index 72eeec85a7..e786746090 100644 --- a/src/govuk/vendor/polyfills/Element.mjs +++ b/src/govuk/vendor/polyfills/Element.mjs @@ -3,12 +3,10 @@ import './Document.mjs' (function(undefined) { -// Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Element/detect.js var detect = ('Element' in this && 'HTMLElement' in this) if (detect) return -// Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Element&flags=always (function () { // IE8 diff --git a/src/govuk/vendor/polyfills/Element/prototype/classList.mjs b/src/govuk/vendor/polyfills/Element/prototype/classList.mjs index dd3e0ed2e6..2cc4bbd509 100644 --- a/src/govuk/vendor/polyfills/Element/prototype/classList.mjs +++ b/src/govuk/vendor/polyfills/Element/prototype/classList.mjs @@ -5,7 +5,6 @@ import '../../Element.mjs' (function(undefined) { - // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-service/8717a9e04ac7aff99b4980fbedead98036b0929a/packages/polyfill-library/polyfills/Element/prototype/classList/detect.js var detect = ( 'document' in this && "classList" in document.documentElement && 'Element' in this && 'classList' in Element.prototype && (function () { var e = document.createElement('span'); @@ -16,7 +15,6 @@ import '../../Element.mjs' if (detect) return - // Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Element.prototype.classList&flags=always (function (global) { var dpSupport = true; var defineGetter = function (object, name, fn, configurable) { diff --git a/src/govuk/vendor/polyfills/Element/prototype/closest.mjs b/src/govuk/vendor/polyfills/Element/prototype/closest.mjs index 987a0e39ac..379b05d060 100644 --- a/src/govuk/vendor/polyfills/Element/prototype/closest.mjs +++ b/src/govuk/vendor/polyfills/Element/prototype/closest.mjs @@ -3,14 +3,12 @@ import './matches.mjs' (function(undefined) { - // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-service/1f3c09b402f65bf6e393f933a15ba63f1b86ef1f/packages/polyfill-library/polyfills/Element/prototype/closest/detect.js var detect = ( 'document' in this && "closest" in document.documentElement ) if (detect) return - // Polyfill from https://raw.githubusercontent.com/Financial-Times/polyfill-service/1f3c09b402f65bf6e393f933a15ba63f1b86ef1f/packages/polyfill-library/polyfills/Element/prototype/closest/polyfill.js Element.prototype.closest = function closest(selector) { var node = this; diff --git a/src/govuk/vendor/polyfills/Element/prototype/dataset.mjs b/src/govuk/vendor/polyfills/Element/prototype/dataset.mjs index 72eaa9f206..e8d04404c1 100644 --- a/src/govuk/vendor/polyfills/Element/prototype/dataset.mjs +++ b/src/govuk/vendor/polyfills/Element/prototype/dataset.mjs @@ -4,7 +4,6 @@ import '../../Element.mjs' (function(undefined) { - // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-library/13cf7c340974d128d557580b5e2dafcd1b1192d1/polyfills/Element/prototype/dataset/detect.js var detect = (function(){ if (!document.documentElement.dataset) { return false; @@ -16,7 +15,6 @@ import '../../Element.mjs' if (detect) return - // Polyfill derived from https://raw.githubusercontent.com/Financial-Times/polyfill-library/13cf7c340974d128d557580b5e2dafcd1b1192d1/polyfills/Element/prototype/dataset/polyfill.js Object.defineProperty(Element.prototype, 'dataset', { get: function() { var element = this; diff --git a/src/govuk/vendor/polyfills/Element/prototype/matches.mjs b/src/govuk/vendor/polyfills/Element/prototype/matches.mjs index 0a3da81438..9127f80d89 100644 --- a/src/govuk/vendor/polyfills/Element/prototype/matches.mjs +++ b/src/govuk/vendor/polyfills/Element/prototype/matches.mjs @@ -1,14 +1,12 @@ // @ts-nocheck (function (undefined) { - // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-service/1f3c09b402f65bf6e393f933a15ba63f1b86ef1f/packages/polyfill-library/polyfills/Element/prototype/matches/detect.js var detect = ( 'document' in this && "matches" in document.documentElement ) if (detect) return - // Polyfill from https://raw.githubusercontent.com/Financial-Times/polyfill-service/1f3c09b402f65bf6e393f933a15ba63f1b86ef1f/packages/polyfill-library/polyfills/Element/prototype/matches/polyfill.js Element.prototype.matches = Element.prototype.webkitMatchesSelector || Element.prototype.oMatchesSelector || Element.prototype.msMatchesSelector || Element.prototype.mozMatchesSelector || function matches(selector) { var element = this; var elements = (element.document || element.ownerDocument).querySelectorAll(selector); diff --git a/src/govuk/vendor/polyfills/Element/prototype/nextElementSibling.mjs b/src/govuk/vendor/polyfills/Element/prototype/nextElementSibling.mjs index b890ca0d4f..c982db02ef 100644 --- a/src/govuk/vendor/polyfills/Element/prototype/nextElementSibling.mjs +++ b/src/govuk/vendor/polyfills/Element/prototype/nextElementSibling.mjs @@ -4,14 +4,12 @@ import '../../Element.mjs' (function(undefined) { - // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-library/master/polyfills/Element/prototype/nextElementSibling/detect.js var detect = ( 'document' in this && "nextElementSibling" in document.documentElement ) if (detect) return - // Polyfill from https://raw.githubusercontent.com/Financial-Times/polyfill-library/master/polyfills/Element/prototype/nextElementSibling/polyfill.js Object.defineProperty(Element.prototype, "nextElementSibling", { get: function(){ var el = this.nextSibling; diff --git a/src/govuk/vendor/polyfills/Element/prototype/previousElementSibling.mjs b/src/govuk/vendor/polyfills/Element/prototype/previousElementSibling.mjs index b47052c53f..d257c1f810 100644 --- a/src/govuk/vendor/polyfills/Element/prototype/previousElementSibling.mjs +++ b/src/govuk/vendor/polyfills/Element/prototype/previousElementSibling.mjs @@ -4,14 +4,12 @@ import '../../Element.mjs' (function(undefined) { - // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-library/master/polyfills/Element/prototype/previousElementSibling/detect.js var detect = ( 'document' in this && "previousElementSibling" in document.documentElement ) if (detect) return - // Polyfill from https://raw.githubusercontent.com/Financial-Times/polyfill-library/master/polyfills/Element/prototype/previousElementSibling/polyfill.js Object.defineProperty(Element.prototype, 'previousElementSibling', { get: function(){ var el = this.previousSibling; diff --git a/src/govuk/vendor/polyfills/Event.mjs b/src/govuk/vendor/polyfills/Event.mjs index 8365c91e03..0377a57df1 100644 --- a/src/govuk/vendor/polyfills/Event.mjs +++ b/src/govuk/vendor/polyfills/Event.mjs @@ -5,7 +5,6 @@ import './Object/defineProperty.mjs' (function(undefined) { -// Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Event/detect.js var detect = ( (function(global) { @@ -25,7 +24,6 @@ var detect = ( if (detect) return -// Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Event&flags=always (function () { var unlistenableWindowEvents = { click: 1, diff --git a/src/govuk/vendor/polyfills/Function/prototype/bind.mjs b/src/govuk/vendor/polyfills/Function/prototype/bind.mjs index 20290f4482..e511738531 100644 --- a/src/govuk/vendor/polyfills/Function/prototype/bind.mjs +++ b/src/govuk/vendor/polyfills/Function/prototype/bind.mjs @@ -2,12 +2,10 @@ import '../../Object/defineProperty.mjs' (function(undefined) { - // Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Function/prototype/bind/detect.js var detect = 'bind' in Function.prototype if (detect) return - // Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Function.prototype.bind&flags=always Object.defineProperty(Function.prototype, 'bind', { value: function bind(that) { // .length is 1 // add necessary es5-shim utilities diff --git a/src/govuk/vendor/polyfills/Object/defineProperty.mjs b/src/govuk/vendor/polyfills/Object/defineProperty.mjs index 37da95b1d2..b60ab7cf1c 100644 --- a/src/govuk/vendor/polyfills/Object/defineProperty.mjs +++ b/src/govuk/vendor/polyfills/Object/defineProperty.mjs @@ -1,7 +1,6 @@ // @ts-nocheck (function (undefined) { -// Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Object/defineProperty/detect.js var detect = ( // In IE8, defineProperty could only act on DOM elements, so full support // for the feature requires the ability to set a property on an arbitrary object @@ -18,7 +17,6 @@ var detect = ( if (detect) return -// Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Object.defineProperty&flags=always (function (nativeDefineProperty) { var supportsAccessors = Object.prototype.hasOwnProperty('__defineGetter__'); diff --git a/src/govuk/vendor/polyfills/String/prototype/trim.mjs b/src/govuk/vendor/polyfills/String/prototype/trim.mjs index c1f76d46fe..1a79499055 100644 --- a/src/govuk/vendor/polyfills/String/prototype/trim.mjs +++ b/src/govuk/vendor/polyfills/String/prototype/trim.mjs @@ -1,12 +1,10 @@ // @ts-nocheck (function (undefined) { - // Detection from https://github.com/mdn/content/blob/cf607d68522cd35ee7670782d3ee3a361eaef2e4/files/en-us/web/javascript/reference/global_objects/string/trim/index.md#polyfill var detect = ('trim' in String.prototype) if (detect) return - // Polyfill from https://github.com/mdn/content/blob/cf607d68522cd35ee7670782d3ee3a361eaef2e4/files/en-us/web/javascript/reference/global_objects/string/trim/index.md#polyfill String.prototype.trim = function () { return this.replace(/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g, ''); }; diff --git a/src/govuk/vendor/polyfills/Window.mjs b/src/govuk/vendor/polyfills/Window.mjs index 6a52cdbb60..f7177ba83f 100644 --- a/src/govuk/vendor/polyfills/Window.mjs +++ b/src/govuk/vendor/polyfills/Window.mjs @@ -1,12 +1,10 @@ // @ts-nocheck (function (undefined) { -// Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Window/detect.js var detect = ('Window' in this) if (detect) return -// Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Window&flags=always if ((typeof WorkerGlobalScope === "undefined") && (typeof importScripts !== "function")) { (function (global) { if (global.constructor) { From ee08d85951f87fd5464f8596595839e34616c9e9 Mon Sep 17 00:00:00 2001 From: Brett Kyle Date: Thu, 11 Jul 2024 20:58:58 +0100 Subject: [PATCH 2/2] Add CHANGELOG entry --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b94c00b0a..aebcc5b432 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## Unreleased + +### Fixes + +We’ve made fixes to GOV.UK Frontend in the following pull requests: + +- [#5127: Remove direct links to Polyfill[dot]io](https://github.com/alphagov/govuk-frontend/pull/5127) + ## GOV.UK Frontend v4.8.0 (Feature release) This release includes the ability to update the crown logo. You must do this between 19 February and 1 March 2024.