Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update dependencies, resolve security issues, and update configuration for builds #37

Merged
merged 7 commits into from
Sep 19, 2024
Merged

fix: update dependencies, resolve security issues, and update configuration for builds #37

merged 7 commits into from
Sep 19, 2024

Conversation

jaylenw
Copy link
Member

@jaylenw jaylenw commented Sep 19, 2024
edited
Loading

What does this PR do?

This pull request includes several updates to improve the site's configuration and dependencies. The most important changes involve updating URLs for remote data sources, modernizing script dependencies, and ensuring integrity checks for external scripts.

Updates to configuration:

  • README.md: Updated the command to install dependencies to use bundle config --local path $PWD/vendor/bundle && bundle install instead of the previous bundle check --path=vendor/bundle || bundle install --path=vendor/bundle.
  • _config_prod.yml: Changed the remote_data_prefix to https://data.sdg.lacity.gov for production.

Modernizing script dependencies:

Background info

The PR will address several Security issues found on the GitHub security scanning page https://github.com/CityOfLosAngeles/open-sdg-site-starter/security/code-scanning.

Integrity checks were implemented using https://www.srihash.org/ as noted on https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#using_subresource_integrity. Dependencies were upgraded to match the versions for dependencies that are listed on the parent project here https://github.com/open-sdg/open-sdg/blob/9ae091ef0c865179d34f1e4d3ba47cb7d2b01462/_includes/scripts.html.

@RV-LACity CodeQL can not properly parse and analyse autotrack-element.js since it has a mixture of JS and Jekyll liquid and hence we have that warning on the security dashboard.

How can this be tested (manually and/or automated test)?

Provide manual tests steps if applicable

I ran the steps to build the site locally using the development configuration and using the local Python server to validate behavior. Notable tests were done on http://localhost:8000/gendertest/ and http://localhost:8000/disconnectedyouth/ as a significant portion of those pages were modified.

Provide steps for running automated tests if applicable

N/A

Which issue(s) is/are related to this PR?

This PR is/are related to issue(s) #35

close #35

@jaylenw jaylenw self-assigned this Sep 19, 2024
@jaylenw jaylenw added the enhancement New feature or request label Sep 19, 2024
@jaylenw jaylenw merged commit cbecc55 into development Sep 19, 2024
6 checks passed
@ita-devops-release-manager ita-devops-release-manager bot added the staged PRs that have been merged into the development branch containing changes yet to be pushed to prod label Sep 19, 2024
@sarah-beasley sarah-beasley mentioned this pull request Sep 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RV-LACity RV-LACity RV-LACity approved these changes

Assignees

@jaylenw jaylenw

Labels
enhancement New feature or request staged PRs that have been merged into the development branch containing changes yet to be pushed to prod
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Resolves warnings and errors related to the codebase
2 participants
@jaylenw @RV-LACity