Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pin dependencies and add integrity checks #344

Open
ewan-escience opened this issue Sep 27, 2024 · 3 comments
Open

Pin dependencies and add integrity checks #344

ewan-escience opened this issue Sep 27, 2024 · 3 comments

Comments

@ewan-escience
Copy link
Member

Linked dependencies, as in <script src="//cdn.jsdelivr.net/npm/docsify/lib/plugins/search.min.js"></script> don't have a version in their URL, meaning they will always point to the latest version. (Side note: why do these dependencies start with // instead of https://?). This has two risks:

  1. A new version might break the guide (through a bug or a changed API)
  2. A version with malicious code might be used

If you take off the last part of the path of these dependcies (e.g. https://cdn.jsdelivr.net/npm/docsify/lib/plugins/), you can navigate through the versions.

Furthermore, we should use integrity checks to ensure that the loaded code has not been altered with.

@bouweandela
Copy link
Member

If we pin those dependencies, is there some way to automate updating them so we don't end up with very outdated dependencies one or two years from now?

@ewan-escience
Copy link
Member Author

The point is to not update them automatically. But this would indeed require some regular maintenance.

If you don't think it's worth the effort, that's also fine, but I wanted to point out the risks we currently have.

@bouweandela
Copy link
Member

I was thinking of automatically creating a pull request to update the version, so we can review if anything is broken. Would something like that be possible without too much effort?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants