frontend-playbook

frontend-playbook copied to clipboard

• Adds link explaining what a browser polyfill is.
• Adds the data protection risk to the "use of third party CDN" risks.
• Makes it clearer that using third party CDNs is not an acceptable practice, ever, both in the "static resources" page and in the "polyfill" section of the javascript house style page.
• Also minor whitespace adjustments and updating TOCs for consistency.

I wonder if we should suggest that any NPM dependency used to load polyfills should be locked down to an exact version in a package.json / package-lock.json, and that version range syntax should not be used. To mitigate risk of an NPM dependency getting compromised and publishing code that we import and load in production. But I guess that applies to any NPM dependency used in production code.

@benjclark Yeah, good point. Interestingly, we also suggest using SRI which, if my understanding is correct, could also help with these issues. I don't think we use it extensively, though.

Hi @benjclark (and everyone else) - thinking more about this, it looks like the dependency version locking would be a much bigger (and very worthwhile) conversation to have, espcially in light of security news in the last few months/years.

Given most of that work should probably end up in the "Managing Node Projects" doc, and that this PR was focused on removing specific third party providers from the JavaScript house style doc, would you be ok with this being merged as it is? Dependency management could probably be discussed in the Open Space instead.

@josebolos No objection from me about merging this as is, makes sense 👍