Need to replace polyfill.js

I need to replace the polyfill.js in the Editor (located in three.js/editor/js/libs/ternjs/polyfill.js ). Apparently it’s tripping a security scan because a company that recently bought out polyfill.io turned it into an attack vector… ( Polyfill supply chain attack hits 100K+ sites ). So, while the polyfill.js included in the Editor is clean (it was added in years before it’s source was bought up) it still trips the scans.

The scanning software suggest getting a cleaner copy from either cdnjs.cloudflare.com/polyfill or New options for Polyfill.io users - #2 by eligrey - General - Fastly Community (which is really just a suggestion for https://polyfill-fastly.io/ ), but both of these require a bit of configuration before download… so I wanted to ask – has anyone has done this recently? Looking over the files, my guess is that I should just get the es5 version of the polyfill, but any advice would be appreciated.

Thanks!

Can you just remove it? I can’t imagine what you need a polyfill for on any browser that actually supports threejs properly.

1 Like

Isn’t it generally a bad idea to randomly remove code from a project you didn’t build, introducing the possibility of errors you won’t understand far down the road, rather than just swapping out a file for an up-to-date in-parity one that’s already been tested by experts?

Well, I guess the idea is that that code never ever run because there was a native version of everything.

1 Like

Okay, I just tried it and now (predictably) it’s throwing a bunch of errors. Rather than waste time tracking them down (since the problem is a missing file that was haphazardly pulled from the code base), I’m going to pivot back to the original topic – has anyone replaced the polyfill.js file yet, and if so what version worked for them?

Relevant source file for anyone reading:

First thing to note, the copyright on the JSON sections are from 2011.
These shims are for ecmascript 5

So presumably they are over a decade old.

The caniuse for es5 says: ECMAScript 5 | Can I use... Support tables for HTML5, CSS3, etc says its available everywhere except ie 6 - 8
which are both way past end of life and wont support modern webGL anyway in any meaningful capacity.
The market share for those browsers appears to be ~Zero:
https://www.w3counter.com/trends

Rather than “updating” that old polyfill, you’re might be better off just fixing the errors removing it causes. And fixing those errors may end up improving performance if switched to native replacements for the polyfilled parts.

When I suggested removing it, I didn’t mean just deleting the file, I also meant removing references to it, just as where it’s imported etc.

While it is scary to confront errors cause by removing dead code, its also a natural consequence of increasing code quality by reducing technical debt, and if that polyfill is bothering you, then removing it might be a good idea.

Or it is still run but is overriding some (now) native functionality with hand rolled js.

1 Like

All that said… I pulled the master branch of the repo, renamed that polyfill.js to polyfill.ff
and the editor loaded and ran without errors.
So I’m not sure what the issue is that you’re describing, @egreenberg ?

edit: nvm I see the import error… cool that the editor still seems to run ok tho.
edit2: i removed the

	<!--script src="js/libs/ternjs/polyfill.js"></script-->

from index.html and the import error went away.

I looked at:
https://ternjs.net/#:~:text=Tern%20is%20a%20stand-alone,Function%20argument%20hints

looks like its related to code autocomplete etc. maybe part of the code editor in the threejs editor?

I tested the code editor inside the threejs editor , (without that shim), and it seems to be working ok.

So… I dunno… I guess… do what you gotta do? but it seems fine without that shim…

1 Like

Thanks for the effort, I appreciate the time.

I’ve gone ahead and rebuilt the file using the Cloudflare replacement… which is unfortunately awful – rather than allowing you to just download the replacement polyfill.js of your choice, it reads your browser version and decides you don’t need it. You have to either edit the network response header to fool it into thinking that you have an older browser or use a text-based browser like Lynx to access the code you need. Completely ridiculous.

Once that was accessed, it turns out it didn’t come with the Json3 code that’s at the end of the original file. On top of that, the Json3 link in the old file is either going to a now dead project or link has rotted. So, I used the Wayback machine to access the correct link from an archived copy – it looks up code from the cloudflare cdn. I pulled the code out from the matching version ( https://cdnjs.cloudflare.com/ajax/libs/json3/3.2.4/json3.js ) and pasted it into the end of my new polyfill.js file.

That did the trick.

Hopefully the good people maintaining ThreeJS will spot the old polyfill.js and replace it with something less hacky then the monstrous I just produced.

1 Like

I’m sure the quality of your codebase has been greatly improved by replacing some unused code with some other unused code you found on the wayback machine.
:smiley:

1 Like

lol
As long as it stops tripping the security scanning software, I’m happy.

Honestly, the old code is perfectly safe – nothing it is making any sort of call or doing anything unsafe, but you have to check all the boxes to pass security scans.

1 Like