Closed audiodude closed 8 years ago
divergentdave
commented
8 years ago rake blog fails if you don't have the wintersmith tool installed globally, so I'm going to add it to package.json and point the Rakefile at the binary inside node_modules. I'm also going to update the fabfile to call the blog task from the deploy tasks.
konklone
commented
8 years ago @divergentdave are the build failures expected here?
divergentdave
commented
8 years ago The failure is coming from Node Security Project, which has flagged five different vulnerabilities in wintersmith's dependencies. Two come by way of npm, two come by way of jade/pug, and one comes from marked, the markdown library. Since we're only running this at deploy, and we trust all the inputs, I'd be okay with going ahead, but it would be nice to see up to date dependencies.
Since we're using npm-shrinkwrap, I could try installing too-new versions of the dependencies, and then shrinkwrapping that. This would ensure we get the up-to-date versions, which would in turn make the CI green.
divergentdave
commented
8 years ago Nevermind, I tried installing over the old version inside node_modules/wintersmith, but after that npm shrinkwrap knew better and wouldn't shrinkwrap the invalid dependency.
divergentdave
commented
8 years ago I had a better idea! 3b929ad removes wintersmith before running nsp check.
konklone
commented
8 years ago :+1: Thanks!
The blog steps changed slightly, so I'm updating the README, mostly so we remember how to do this in 2 weeks.