bouweandela
commented
1 month ago If we pin those dependencies, is there some way to automate updating them so we don't end up with very outdated dependencies one or two years from now?
Open ewan-escience opened 1 month ago
bouweandela
commented
1 month ago If we pin those dependencies, is there some way to automate updating them so we don't end up with very outdated dependencies one or two years from now?
ewan-escience
commented
1 month ago The point is to not update them automatically. But this would indeed require some regular maintenance.
If you don't think it's worth the effort, that's also fine, but I wanted to point out the risks we currently have.
bouweandela
commented
1 month ago I was thinking of automatically creating a pull request to update the version, so we can review if anything is broken. Would something like that be possible without too much effort?
Linked dependencies, as in
<script src="//cdn.jsdelivr.net/npm/docsify/lib/plugins/search.min.js"></script>don't have a version in their URL, meaning they will always point to the latest version. (Side note: why do these dependencies start with//instead ofhttps://?). This has two risks:If you take off the last part of the path of these dependcies (e.g. https://cdn.jsdelivr.net/npm/docsify/lib/plugins/), you can navigate through the versions.
Furthermore, we should use integrity checks to ensure that the loaded code has not been altered with.