Drupal Security Team Warns of Third-Party Library Risks and Supply Chain Issues
The Drupal Security Team has issued a new Public Service Announcement (PSA) addressing security concerns related to third-party libraries and supply chains within the Drupal ecosystem. The PSA underscores the importance of site owners actively managing the security of their third-party dependencies, recommending tools such as Software Bill of Materials (SBOM), scanner services, Content Security Policy (CSP), and Subresource Integrity (SRI) to mitigate risks.
A recent security issue has emerged involving the polyfill.io service, which was acquired by a new organization and found to serve malicious content under specific conditions. This has affected several contributed Drupal projects, prompting trusted providers to offer replacements for polyfill.io. Site owners are advised to update their sources or consider removing polyfills if they are no longer necessary.
To address the impact on multiple Drupal projects, code changes and new releases will be needed to switch to alternative providers. Since these concerns involve third-party libraries, the Drupal Security Team will not issue Security Advisories but will handle them through public issue queues. Despite significant changes in third-party code usage since PSA-2011-002, the team's scope remains limited to code hosted on drupal.org's systems. For more information, visit the Drupal PSA page.
Source Reference
Disclosure: This content is produced with the assistance of AI.