From 387ef538c13f8fb4bb67a801639aaa7c1ab7c8b3 Mon Sep 17 00:00:00 2001
From: brian d foy <briandfoy@pobox.com>
Date: Wed, 26 Jun 2024 10:06:13 -0400
Subject: [PATCH] Mojolicious-Plugin-LazyImage polyfill.io compromise

---
 .../CPANSA-Mojolicious-Plugin-LazyImage.yml   | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 cpansa/CPANSA-Mojolicious-Plugin-LazyImage.yml

diff --git a/cpansa/CPANSA-Mojolicious-Plugin-LazyImage.yml b/cpansa/CPANSA-Mojolicious-Plugin-LazyImage.yml
new file mode 100644
index 0000000..2471256
--- /dev/null
+++ b/cpansa/CPANSA-Mojolicious-Plugin-LazyImage.yml
@@ -0,0 +1,23 @@
+---
+- affected_versions: <=0.01
+  cves:
+    - CVE-2024-38526
+  description: >
+    pdoc provides API Documentation for Python Projects. Documentation
+    generated with `pdoc --math` linked to JavaScript files from
+    polyfill.io. The polyfill.io CDN has been sold and now serves
+    malicious code. This issue has been fixed in pdoc 14.5.1.
+  distribution: Mojolicious-Plugin-LazyImage
+  embedded_vulnerability:
+    distributed_version: ~
+    name: polyfill.io
+  fixed_versions: ~
+  id: CPANSA-Mojolicious-Plugin-LazyImage-2024-38526
+  references:
+    - https://github.com/mitmproxy/pdoc/pull/703
+    - https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
+    - https://sansec.io/research/polyfill-supply-chain-attack
+    - https://github.com/briandfoy/cpan-security-advisory/issues/155
+    - https://stackdiary.com/polyfill-compromise-hits-100000-sites-in-a-supply-chain-attack/
+  reported: 2024-06-26
+  severity: ~