This pull request includes several updates to improve the site's configuration and dependencies. The most important changes involve updating URLs for remote data sources, modernizing script dependencies, and ensuring integrity checks for external scripts.
Updates to configuration:
README.md: Updated the command to install dependencies to use bundle config --local path $PWD/vendor/bundle && bundle install instead of the previous bundle check --path=vendor/bundle || bundle install --path=vendor/bundle.
_config_prod.yml: Changed the remote_data_prefix to https://data.sdg.lacity.gov for production.
_includes/scripts.html: Updated various script URLs to use newer versions with integrity checks, including jQuery, Tether, Bootstrap, DataTables, and others.
@RV-LACity CodeQL can not properly parse and analyse autotrack-element.js since it has a mixture of JS and Jekyll liquid and hence we have that warning on the security dashboard.
How can this be tested (manually and/or automated test)?
Provide manual tests steps if applicable
I ran the steps to build the site locally using the development configuration and using the local Python server to validate behavior. Notable tests were done on http://localhost:8000/gendertest/ and http://localhost:8000/disconnectedyouth/ as a significant portion of those pages were modified.
Provide steps for running automated tests if applicable
What does this PR do?
This pull request includes several updates to improve the site's configuration and dependencies. The most important changes involve updating URLs for remote data sources, modernizing script dependencies, and ensuring integrity checks for external scripts.
Updates to configuration:
README.md: Updated the command to install dependencies to usebundle config --local path $PWD/vendor/bundle && bundle installinstead of the previousbundle check --path=vendor/bundle || bundle install --path=vendor/bundle._config_prod.yml: Changed theremote_data_prefixtohttps://data.sdg.lacity.govfor production.Modernizing script dependencies:
_includes/components/download-all-metadata.html: Updated jQuery and PapaParse script URLs to use newer versions with integrity checks._includes/scripts.html: Updated various script URLs to use newer versions with integrity checks, including jQuery, Tether, Bootstrap, DataTables, and others.Background info
The PR will address several Security issues found on the GitHub security scanning page https://github.com/CityOfLosAngeles/open-sdg-site-starter/security/code-scanning.
Integrity checks were implemented using https://www.srihash.org/ as noted on https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#using_subresource_integrity. Dependencies were upgraded to match the versions for dependencies that are listed on the parent project here https://github.com/open-sdg/open-sdg/blob/9ae091ef0c865179d34f1e4d3ba47cb7d2b01462/_includes/scripts.html.
@RV-LACity CodeQL can not properly parse and analyse
autotrack-element.jssince it has a mixture of JS and Jekyll liquid and hence we have that warning on the security dashboard.How can this be tested (manually and/or automated test)?
Provide manual tests steps if applicable
I ran the steps to build the site locally using the development configuration and using the local Python server to validate behavior. Notable tests were done on
http://localhost:8000/gendertest/andhttp://localhost:8000/disconnectedyouth/as a significant portion of those pages were modified.Provide steps for running automated tests if applicable
N/A
Which issue(s) is/are related to this PR?
This PR is/are related to issue(s) #35
close #35