|
|
|
|
|
|
by SahAssar
722 days ago
|
|
|
This is not an "open source project", this is a service. When I use a open source project I take it as it is now and take a risk on it not being updated, but any updates are "pull", as in that I willingly take in changes. In this case the service is "push", which is very different. Any website that used polyfill.io can have any changes pushed to it, regardless of if the author even had known about a change being made. If my popular project is replaced with a single poop emoji on NPM any existing user is fine (especially since NPM keeps old versions after the whole left-pad thing) and will find an alternative. If polyfill.io replaces their code with document.documentElement.innerHTML = '💩'
that's not fine, since it affects existing users without any update step.I think that nobody should use these public CDNs at all, including things like unpkg and cdnjs, or at the very least using subresource integrity. Either way this has been something that has been on the horizon for years and similar to the buying of popular webextensions. |
|
|