Hacker News new | ask | show | jobs
by roywiggins 663 days ago
It seems that PostHog just always loads the latest version of this piece of itself:

https://github.com/PostHog/posthog/issues/24471#issuecomment...

Though you can opt to bundle it yourself:

https://github.com/PostHog/posthog/issues/24471#issuecomment...
4 comments
phkahler 663 days ago
>> It seems that PostHog just always loads the latest version of this piece of itself:

Now there's a supply chain attack vector...

link
philsnow 663 days ago
Years ago, IT at the company I was working at force-pushed a browser extension that did this same trick, but the extension vendor in question didn't even bother loading over https.

Edit: the extension's manifest gave it nearly every permission, on every web site, including internal ones

link
slashdave 663 days ago
> I definitely want to figure out in detail what happened here so I can add a test to prevent a similar change in future!

Whoa! Good idea!

Could have been worse. At least the change didn't expose a hidden exploit.

link
ricardobeat 663 days ago
Ouch. That just adds insult to injury.
link