Drupal Security Team Warns of Third-Party Library Risks and Supply Chain Issues

chip
Adi Goldstein / Unsplash

The Drupal Security Team has issued a new Public Service Announcement (PSA) addressing security concerns related to third-party libraries and supply chains within the Drupal ecosystem. The PSA underscores the importance of site owners actively managing the security of their third-party dependencies, recommending tools such as Software Bill of Materials (SBOM), scanner services, Content Security Policy (CSP), and Subresource Integrity (SRI) to mitigate risks.

A recent security issue has emerged involving the polyfill.io service, which was acquired by a new organization and found to serve malicious content under specific conditions. This has affected several contributed Drupal projects, prompting trusted providers to offer replacements for polyfill.io. Site owners are advised to update their sources or consider removing polyfills if they are no longer necessary.

To address the impact on multiple Drupal projects, code changes and new releases will be needed to switch to alternative providers. Since these concerns involve third-party libraries, the Drupal Security Team will not issue Security Advisories but will handle them through public issue queues. Despite significant changes in third-party code usage since PSA-2011-002, the team's scope remains limited to code hosted on drupal.org's systems. For more information, visit the Drupal PSA page.

Source Reference

Date of Publication
URL
https://www.drupal.org/psa-2024-06-26

Disclosure: This content is produced with the assistance of AI.

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Advertisement Here

Upcoming Events

Advertisement Here