fix: update dependencies, resolve security issues, and update configuration for builds #37
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This pull request includes several updates to improve the site's configuration and dependencies. The most important changes involve updating URLs for remote data sources, modernizing script dependencies, and ensuring integrity checks for external scripts.
Updates to configuration:
README.md
: Updated the command to install dependencies to usebundle config --local path $PWD/vendor/bundle && bundle install
instead of the previousbundle check --path=vendor/bundle || bundle install --path=vendor/bundle
._config_prod.yml
: Changed theremote_data_prefix
tohttps://data.sdg.lacity.gov
for production.Modernizing script dependencies:
_includes/components/download-all-metadata.html
: Updated jQuery and PapaParse script URLs to use newer versions with integrity checks._includes/scripts.html
: Updated various script URLs to use newer versions with integrity checks, including jQuery, Tether, Bootstrap, DataTables, and others.Background info
The PR will address several Security issues found on the GitHub security scanning page https://github.com/CityOfLosAngeles/open-sdg-site-starter/security/code-scanning.
Integrity checks were implemented using https://www.srihash.org/ as noted on https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#using_subresource_integrity. Dependencies were upgraded to match the versions for dependencies that are listed on the parent project here https://github.com/open-sdg/open-sdg/blob/9ae091ef0c865179d34f1e4d3ba47cb7d2b01462/_includes/scripts.html.
@RV-LACity CodeQL can not properly parse and analyse
autotrack-element.js
since it has a mixture of JS and Jekyll liquid and hence we have that warning on the security dashboard.How can this be tested (manually and/or automated test)?
Provide manual tests steps if applicable
I ran the steps to build the site locally using the development configuration and using the local Python server to validate behavior. Notable tests were done on
http://localhost:8000/gendertest/
andhttp://localhost:8000/disconnectedyouth/
as a significant portion of those pages were modified.Provide steps for running automated tests if applicable
N/A
Which issue(s) is/are related to this PR?
This PR is/are related to issue(s) #35
close #35