<aside> 🔜 TLDR: a new security warning was issued for a commonly used CDN, which is used in our snippet (but not our NPM package).

• If you’re using the CommandBar snippet, you should upgrade yours to the latest here.
• If you’re using the NPM package, no action is needed.

</aside>

What is the issue?

A security warning was issued for a commonly used CDN: polyfill.io. You can read more about it here.

Is CommandBar impacted?

We referenced this CDN in the following places in our snippet, which is the non-default method of installing CommandBar preferred by some customers.

The CDN was used for handling edge cases where a user is using an outdated browser that doesn’t support modern browser functionality. (Without this, CommandBar would have failed entirely for these users.) The specific polyfills used were:

• Symbol.for: needed for 2% of desktop users (link)
• Symbol: needed for 1.89% of desktop users (link)
• Object.assign not available: needed for .28% of desktop users (link)

The most commonly used browsers lacking these features are Internet Explorer 11 and earlier and old versions of Safari. We estimate about 2% of end users globally would fit these criteria (you can’t sum the numbers above, as many users who require one polyfill require multiple), but your user base might vary.

• For other users (not on outdated browsers), the CDN was never loaded or used in any way because it was conditionally loaded.
• If your application has already polyfilled these methods, CommandBar would have inherited from your approach.

What action should I take?

• If you’re using the snippet to install CommandBar —> We’ve updated our snippet. You can find the latest below. We recommend upgrading to this version of the snippet immediately.
  • New snippet
• If you don’t know which installation method you used —> ask the engineer who installed CommandBar.
• If you’re using an NPM package to install CommandBar —> no action is needed.