I need to replace the polyfill.js in the Editor (located in three.js/editor/js/libs/ternjs/polyfill.js ). Apparently it’s tripping a security scan because a company that recently bought out polyfill.io turned it into an attack vector… ( Polyfill supply chain attack hits 100K+ sites ). So, while the polyfill.js included in the Editor is clean (it was added in years before it’s source was bought up) it still trips the scans.
Isn’t it generally a bad idea to randomly remove code from a project you didn’t build, introducing the possibility of errors you won’t understand far down the road, rather than just swapping out a file for an up-to-date in-parity one that’s already been tested by experts?
Okay, I just tried it and now (predictably) it’s throwing a bunch of errors. Rather than waste time tracking them down (since the problem is a missing file that was haphazardly pulled from the code base), I’m going to pivot back to the original topic – has anyone replaced the polyfill.js file yet, and if so what version worked for them?
Rather than “updating” that old polyfill, you’re might be better off just fixing the errors removing it causes. And fixing those errors may end up improving performance if switched to native replacements for the polyfilled parts.
When I suggested removing it, I didn’t mean just deleting the file, I also meant removing references to it, just as where it’s imported etc.
While it is scary to confront errors cause by removing dead code, its also a natural consequence of increasing code quality by reducing technical debt, and if that polyfill is bothering you, then removing it might be a good idea.
All that said… I pulled the master branch of the repo, renamed that polyfill.js to polyfill.ff
and the editor loaded and ran without errors.
So I’m not sure what the issue is that you’re describing, @egreenberg ?
edit: nvm I see the import error… cool that the editor still seems to run ok tho.
edit2: i removed the
I’ve gone ahead and rebuilt the file using the Cloudflare replacement… which is unfortunately awful – rather than allowing you to just download the replacement polyfill.js of your choice, it reads your browser version and decides you don’t need it. You have to either edit the network response header to fool it into thinking that you have an older browser or use a text-based browser like Lynx to access the code you need. Completely ridiculous.
Once that was accessed, it turns out it didn’t come with the Json3 code that’s at the end of the original file. On top of that, the Json3 link in the old file is either going to a now dead project or link has rotted. So, I used the Wayback machine to access the correct link from an archived copy – it looks up code from the cloudflare cdn. I pulled the code out from the matching version ( https://cdnjs.cloudflare.com/ajax/libs/json3/3.2.4/json3.js ) and pasted it into the end of my new polyfill.js file.
That did the trick.
Hopefully the good people maintaining ThreeJS will spot the old polyfill.js and replace it with something less hacky then the monstrous I just produced.
I’m sure the quality of your codebase has been greatly improved by replacing some unused code with some other unused code you found on the wayback machine.
lol
As long as it stops tripping the security scanning software, I’m happy.
Honestly, the old code is perfectly safe – nothing it is making any sort of call or doing anything unsafe, but you have to check all the boxes to pass security scans.