Giphy is pulling in files from S3 which raises security and privacy concerns

[strefethen]

Duplicates

• I have searched the existing issues

Latest version

• I have tested the latest version

Current behavior 😯

Giphy refers to fonts on S3

https://github.com/Giphy/giphy-js/blob/master/packages/brand/src/typography.ts

Expected behavior 🤔

Fonts should be hosted on a known good CDN not via an S3 bucket.

Steps to reproduce 🕹

Steps:

1. View https://github.com/Giphy/giphy-js/blob/master/packages/brand/src/typography.ts
2. Notice the font references are to an S3 bucket.

Screenshots or Videos 📹

No response

Platform 🌍

• OS: macOS
• Browser: Safari
• v18.2

GIPHY-JS SDK version

@giphy/js-brand 3.0.0

TypeScript version

No response

Additional context 🔦

coralproject/talk#4718 (comment)

[giannif]

@strefethen thanks for reporting this. Are you using @giphy/js-brand directly? It was a way to share css and colors, but it was removed from our most popular package @giphy/react-components awhile ago. It does still exist in @giphy/svelte-components but could be replaced with @giphy/colors and then we can deprecate it completely

[strefethen]

Hi @giannif, thanks very much for the reply. No, I'm not using it directly, rather it was pulled in as a dependency by a project called Coral which I started using. I just checked the version and Coral is using v5.4.0 of @giphy/react-components so it seems it's very outdated considering the latest release looks like v9.8.0 so that's very likely the problem.

Again, greatly appreciate the reply and I'll share these details with the Coral project.