Ask the 100,000 people that downloaded Boost, not me.

Ugh. I hate this so much.

That’s why I said “sold by Amazon”. The drop shippers are all third-parties. Instead of the item saying “Sold by Amazon”, it’ll say something like “Sold by [some third party] and fulfilled by Amazon”.

Stuff sold by Amazon themselves is generally okay, since they’re directly responsible for it (no third party they can blame for any issues).

I try to avoid Amazon where possible though. B&H is pretty good for electronics, and I know I’m not going to get cheap Chinese knockoffs when I search their online store.

Amazon is usually OK if you buy things that are sold by Amazon or sold by the manufacturer (if it’s a well-known brand). The third-party sellers on Amazon based in China are almost always reselling stuff from Aliexpress/Alibaba with a significant markup.

You can pay just a few dollars to remove the ads from Boost.

California (and a few other states) are trying. The CCPA and CPRA are a good step in the right direction. If you’re a California resident, you can request all the data a business has collected about you, tell them to stop sharing it with business partners, or tell them to completely delete it, similar to the GDPR in Europe.

That CAPTCHA isn’t specific to Temu.

My interpretation of that tagline is that since the prices on Temu are cheap, it means you can shop as if you had a lot of money, without actually spending that much.

I agree with you, and don’t really have any answers :)

US will try its best to block technology, including open source projects.

You can’t block open source projects from anyone. That’s the entire point of open source. For a license to be considered open-source, it must not have any limitations as to who can use it.

Yeah, it really depends on how much you trust the vendor.

Google? Say what you want about the company, but they’ll never intentionally serve malware.

Random company with no track record where we don’t even know who is maintaining the code? Much less trustworthy. The polyfill . io repo is currently owned by a Github user called “polyfillpolyfill” with no identifying information.

Third-party CDNs make less sense these days though. A lot of hosting services have a CDN of some sort. Most sites have some sort of build process, and you usually bundle all your JS and CSS (both your code and third-party code, often as separate bundles) as part of that.

deleted by creator

with mails that dont correspond to the original authors,

Oh! I didn’t realise this. Do you have an example?

You’d be surprised how much code people blindly reuse without even looking at it, especially in JavaScript. A bunch of it is from projects owned by random individuals. The JS standard library is ridiculously small, so nearly all JS apps import third-party code of some sort. One JS framework can pull in hundreds of third-party modules.

It’s much less of an issue with languages like C# and even PHP, where the first-party libraries are often sufficient for building a small or mid-sized app.

Most licences require derivative works to be under the same or similar licence

Some, but probably not most. This is mostly an issue with “viral” licenses like GPL, which restrict the license of derivative works. Permissive licenses like the MIT license are very common and don’t restrict this.

MIT does say that “all copies or substantial portions of the Software” need to come with the license attached, but code generated by an AI is arguably not a “substantial portion” of the software.

I expect it’s going likely to be used to train some Chinese AI model.

Even if they do that, the license for open source software doesn’t disallow it from being done.

My favourite part is that the developers that currently own it said:

Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached

https://github.com/polyfillpolyfill/polyfill-service/issues/2890#issuecomment-2191461961

Completely missing the point that they are the supply chain risk, and the fact that malicious code was already detected in their system (to the point where Google started blocking ads for sites that loaded polyfill .io scripts.

We don’t even know who they are - the repo is owned by an anonymous account called “polyfillpolyfill”, and that comment comes from another anonymous account “polyfillcust”.

Reposting my comment from Github:

A good reminder to be extremely careful loading scripts from a third-party CDN unless you trust the owner 100% (and even then, ownership can change over time, as shown here). You’re essentially giving the maintainer of that CDN full control of your site. Ideally, never do it, as it’s just begging for a supply chain attack. If you need polyfills for older browsers, host the JS yourself. :)

If you really must load scripts from a third-party, use subresource integrity so that the browser refuses to load it if the hash changes. A broken site is better than a hacked one.

And on the value of dynamic polyfills (which is what this service provides):

Often it’s sufficient to just have two variants of your JS bundles, for example “very old browsers” (all the polyfills required by the oldest browser versions your product supports) and “somewhat new browsers” (just polyfills required for browsers released in the last year or so), which you can do with browserslist and caniuse-lite data.

In this case the script wasn’t bundled at all - it was hotlinked from a third party CDN. Adding malicious code instantly affects all the sites that load it.

The output differs depending on browser (it only loads the polyfills your browser needs) so it’s incompatible with subresource integrity.