To Polyfill Or Not To Polyfill.io

Schalk Neethling - Mar 6 - - Dev Community

The topic of Polyfill.io and its sale came across my radar about a week ago when Tobie Langel shared a link to LinkedIn on the OpenJS Foundation Slack.

Wesley Hales shared:

I don't do these panicky-type of PSAs unless it's serious, but this is a REALLY REALLY big deal because so many websites use this third party javascript library!

The sale took place on February 24, 2023, so it has been a minute. In the post on LinkedIn, there was a link provided to a GitHub issue, and from there I also found the tweet (X?) from Andrew Betts strongly encouraging folks to stop using the service. At first, it sounded like the main concern here was that a Chinese company was behind the purchase. I understand that in the current world political climate, there is a "trend" to distrust anything Chinese. This however also impacts other communities such as Nigerian communities and others in Africa, India, and many developing countries. Claudio Wunder on the OpenJS Foundation Slack was the first to raise this concern which I then echoed.

As someone from South Africa, I am keenly aware of this and so, I wanted to dig in some more and understand what the larger context was.

After doing some internet sleuthing :) I discovered that the "company" who is likely behind the purchase is called Funnull and when I visited their website, well, let's just say a lot of the concerns became crystal clear. Just looking at their meta description (not translated through a tool), it reads as follows:

【方能CDN】免备案 - 加速 高防 防劫持 IP隐藏。[FUNNULL CDN] The first brand in the industry, with strong technical strength. T-level defense Effective defense against CC attacks Can test multiple sets of pricing plans.

After Tobie had some coffee he shared why he felt this was a valid concern, and what he shared made it crystal clear. Let's start with something seemingly simple, the copyright text right at the bottom of their footer.

@2022 FUNNULL LLC Made in USA

Let's also assume the @ instead of © was a typo, we all make those, but last I checked we are in 2024. Going to their Contact Us page, they seem to have offices at "12H, Stevens Creek Blvd, Cupertino, CA, United States." However, should you enter that into Google Maps, there is no listing for any company by the name Funnull so, "Made in USA"?

One of the other reasons highlighted by Tobie was:

The complete lack of warning and information about the implications of the ownership transfer is very concerning.

I completely agree and this reminds me of the outrage that happened with Audacity [1].

And then this is a big one:

Change in jurisdiction impacts compliance requirements around data processing (e.g. there's no EU-China privacy shield agreement that I'm aware of.)

They do have a General Data Protection Regulation (GDPR) page though, but when you read it you stumble upon this sentence.

funnull.com is fully committed to helping you achieve compliance, so we will launch an anonymous feature before May 25, 2018, and ensure that no user identifiable data is collected or processed as much as possible.

I do not know about you, but that does not instill commitment or a sense of security and respect for user privacy in my mind. If you read a little further you will find this on the same page:

We have thoroughly revised our user privacy and data policy

However, none of us could find a privacy or terms of service page on their website. Even that quoted line does not link to their privacy policy. That is more than enough red flags for me. If I was using the service, I would abandon it for sure.

If you read through the GitHub issue thread this whole situation becomes more and more concerning almost like opening Pandora's Box.

Just the facts

  • Uncertainty about the future of polyfill.io under new ownership, particularly regarding its connection to China.
  • Lack of clear communication and transparency about the ownership transfer and its implications for users.
  • Concerns about potential changes to service terms without notice, affecting user trust and reliability.
  • Technical issues reported by users, such as errors and bad gateway responses, possibly linked to the ownership change.
  • Another shorter GitHub thread.
  • Also see Polykill

What now?

Since the debacle started and exploded in the JavaScript ecosystem Fastly (Fastly's fork of the project) and Cloudflare have stood up alternatives that I would highly recommend. This shows that the open source and web ecosystem "supply chain" still has a lot of problems, edge cases, and gaping holes that need to be addressed.

It also screams that we need to support those who build the projects, libraries, and services we all rely on so we can ensure a secure and sustainable future for open-source and the web.

[1] Do decide for yourself though.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .