search

jsonresume / jsonresume.org

The mono repo that builds the homepage, utils, ui components, registry and anything else
https://jsonresume.org
68 stars 18 forks source link

fix: reduce security vulnarabilities #29

Closed levino closed 9 months ago

levino commented 9 months ago

fix #24 by removing packages that are using outdated and vulnerable versions of handlebars also updating packages that bring security vulnerabilities

pnpm audit --audit-level critical does not report any more critical vulnerabilities now. There are still 14 high, 10 moderate and 2 low vulnerabilities though which we might want to address too.

I know that this slashing of themes seems harsh, but imo it is infeasible to execute that code based on user input on a server.

Todo:

Summary by CodeRabbit

coderabbitai[bot] commented 9 months ago

Walkthrough

The recent updates to the project involve a significant overhaul of the resume themes and an enhancement to the server capabilities. Numerous outdated or potentially insecure themes have been removed, while new, modern themes have been introduced. Additionally, the inclusion of the webrick gem suggests an improvement in the project's HTTP server functionality, possibly addressing security concerns.

Changes

File Path Change Summary
apps/registry/pages/api/formatters/template.js Removed multiple themes; added new themes like "github2"
apps/homepage/Gemfile Added "webrick" gem with version "~> 1.8"
apps/homepage/themes.html Updated theme URL; removed "Broken - Being repaired" section

Assessment against linked issues

Objective Addressed Explanation
#24: Fix security issues by addressing dependabot alerts and potentially removing themes āœ… The removal of numerous themes and the update of the homepage to reflect these changes suggest an effort to mitigate security risks associated with outdated or vulnerable themes.

Poem

In the code's garden, themes bloom and fade, šŸŒ±šŸ‚
As webrick stands guard, no threat shall invade. šŸ›”ļø
With each pull and push, the project refines,
A rabbit hops through, leaving clean code lines. šŸ‡šŸ’»

Tips ### Chat with CodeRabbit Bot (`@coderabbitai`) - If you reply to a *review comment* from CodeRabbit, the bot will automatically respond. - To engage with CodeRabbit bot directly around the specific lines of code in the PR, mention @coderabbitai in your review comment - Note: Review comments are made on code diffs or files, not on the PR overview. - Add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. ### CodeRabbit Commands (invoked as PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai help` to get help. Note: For conversation with the bot, please use the review comments on code diffs or files. ### CodeRabbit Configration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - The JSON schema for the configuration file is available [here](https://coderabbit.ai/integrations/coderabbit-overrides.v2.json). - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json`
vercel[bot] commented 9 months ago

The latest updates on your projects. Learn more about Vercel for Git ā†—ļøŽ

Name Status Preview Comments Updated (UTC)
jsonresume-org-homepage āœ… Ready (Inspect) Visit Preview šŸ’¬ Add feedback Nov 27, 2023 2:28pm
jsonresume-org-registry āœ… Ready (Inspect) Visit Preview šŸ’¬ Add feedback Nov 27, 2023 2:28pm
levino commented 9 months ago

Maybe we also should add a ci script that checks for security vulnerabilities on PRs. It might be annoying for some users because the security vulnerability might just have popped up and have nothing to do with their code. But it also would make sure that people do not try to bring in (bring back) old and vulnerable themes...

thomasdavis commented 9 months ago

Getting rid of the critical's are nice but the functions don't have any private data or authentication so pretty low risk imo.

Happy to cull the themes, I am just making a mental note to fix up the onepage one as I believe a bunch of people use it.

levino commented 9 months ago

Thank you @ObserverOfTime for the idea. This is my opinion on the matter: In principle that would work. However I could also go and make PRs to the repos of the themes, updating the handlebars dependency. I fear that nobody will care about my PRs, not to speak of making a new release after merging them. I think it is okay to remove these themes since they are abandoned. At least that is what I have to assume, looking at the facts. If some of them are really popular and the maintainers have gone, then we should rather copy the code, add it to this repo here and take over control. Monkey patching third party libraries (which is the baseline of what you propose) is fun, but it just does not scale and brings a lot of headaches. Better be in control.

levino commented 9 months ago

@thomasdavis Please give this an approving review so it can be merged. I reactivated the rule that all PRs need at least one approval, which might seem annoying, but it really is good practice imo.