Worth grepping your source code for "polyfill.io" and taking urgent measures to remove that code if you're linking it into your site - the domain name apparently now intermittently serves malicious JavaScript
My notes here: https://simonwillison.net/2024/Jun/25/polyfill-supply-chain-attack/ - or read this article https://sansec.io/research/polyfill-supply-chain-attack
@simon I'm happy in the knowledge that my source code never downloads code at run-time.
When we build, we know what we build, and our binaries are signed and all that.
@halla @simon There is something comforting about working in a regulated space where we have to account for every scrap of code in our applications and retain it in archive for 60+ years ("for the life of the facility"). I feel for the people still stuck doing webdev but I can't say I miss the technology or the culture, especially how it's evolved since 2009. :/