search

Maritime-Robotics-Student-Society / blog

Southampton sailing robot blog site
https://blog.sotonsailrobot.org/
MIT License
1 stars 1 forks source link

Update NPM Dependencies #19

Closed zysim closed 5 years ago

zysim commented 5 years ago

Closes: #11

This PR should solve any warnings we get on vulnerable dependencies.

Warning: This is still a WIP.

zysim commented 5 years ago

Updating grunt to ^1.0.4, and grunt-contrib-jshint to ^2.1.0 solves a big majority of the dependency issues. However, three dev dependencies, grunt-imgcompress, grunt-newer, and grunt-surround needs grunt to be ~0.4.0. I could fork these dependencies and work from there.

My output:

npm WARN grunt-imgcompress@0.1.2 requires a peer of grunt@~0.4.0 but none is installed. You must install peer dependencies yourself.
npm WARN grunt-newer@0.7.0 requires a peer of grunt@~0.4.1 but none is installed. You must install peer dependencies yourself.
npm WARN grunt-surround@0.1.0 requires a peer of grunt@~0.4.1 but none is installed. You must install peer dependencies yourself.
takluyver commented 5 years ago

Forking them sounds like a lot of effort. I'd check whether we actually still need them (e.g. have they been folded into other packages), and are there newer alternatives which everyone now uses instead?

zysim commented 5 years ago

Yeah that's what I thought of too. @tsaoyu mind checking if we still need them? I'm going through them now myself too, but I may miss some things out.

tsaoyu commented 5 years ago

I don't know if we need it or not. I setup this blog using made-mistakes template and they has updated the packages list to mitigate the security issue. Maybe worth to migrate to newer version.

zysim commented 5 years ago

I'll look at that this evening :+1:

zysim commented 5 years ago

Going through Made Mistakes, there really doesn't seem to be an easy way to fix these vulnerabilities. The docs for that template itself says that we'd need to rework quite a bit of it in order to publish it to Github Pages. Case in point, it has a few plugins in its Gemfile that isn't allowed in Pages. On top of this, I'm struggling to even get the repo to build on my machine haha.

zysim commented 5 years ago

I should also mention that the NPM updates isn't as simple as updating the package.json in Made Mistakes.

takluyver commented 5 years ago

If it's not straightforward, I'd say don't waste time on it. I still don't think the vulnerabilities matter for a static site.

On Sun, 25 Aug 2019, 18:12 Zhong-yuen Lee, notifications@github.com wrote:

Reopened #19 https://github.com/Maritime-Robotics-Student-Society/blog/pull/19.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Maritime-Robotics-Student-Society/blog/pull/19?email_source=notifications&email_token=AACQB5JN27SGTA4XLQ7HKC3QGK4RPA5CNFSM4IMAFXAKYY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGOTHTLRUA#event-2582034640, or mute the thread https://github.com/notifications/unsubscribe-auth/AACQB5IUE4DYNLGAAIST4LLQGK4RPANCNFSM4IMAFXAA .

zysim commented 5 years ago

Yeah that's true. Just thought I'd be able to tackle it :P