Replace Wintersmith with Metalsmith

[timvandermeij]

Wintersmith is no longer maintained given that the most recent version is from six years ago, and all vulnerabilities that NPM reports originate from Wintersmith's dependencies. Metalsmith, and its plugins, on the other hand have recently had releases and don't have known vulnerabilities. In fact, the number of reported vulnerabilities by NPM even goes down to zero with this patch applied.

This commit therefore replaces Wintersmith with Metalsmith by providing a transparent drop-in replacement, in a way that requires the least amount of changes to the code and the generated output.

Note that this patch does update our versions of jQuery, Bootstrap and the Highlight.js theme because the previous versions were very outdated and didn't work correctly with Metalsmith. Moreover, those old versions contained vulnerabilities that are hereby fixed.

Fixes #18198.

[timvandermeij]

/botio-linux preview

[moz-tools-bot]

From: Bot.io (Linux m4)

---

Received

Command cmd_preview from @timvandermeij received. Current queue size: 0

Live output at: http://54.241.84.105:8877/683680ffc99851b/output.txt

[moz-tools-bot]

From: Bot.io (Linux m4)

---

Success

Full output at http://54.241.84.105:8877/683680ffc99851b/output.txt

Total script time: 0.99 mins

Published

• Viewer: http://54.241.84.105:8877/683680ffc99851b/web/viewer.html
• Viewer (legacy): http://54.241.84.105:8877/683680ffc99851b/legacy/web/viewer.html

[timvandermeij]

Extra context for the reviewer:

• You can view the generated output at http://54.241.84.105:8877/683680ffc99851b. Notice that the generated output is mostly equal to the current output at https://mozilla.github.io/pdf.js, aside from some small changes that were mostly required for the newer version of Bootstrap and Highlight.js.
• You can build the generated output locally using npx gulp web which is also what is used for https://mozilla.github.io/pdf.js, or alternatively use the much faster npx gulp metalsmith command if you only want to build the Metalsmith bits (i.e. without demo viewer and JSDoc output).
• The preview logs at http://54.241.84.105:8877/683680ffc99851b/output.txt show that all vulnerability logs are gone and that NPM indeed reports zero vulnerabilities. Moreover, the Highlight.js deprecation warning from http://54.241.84.105:8877/bc4e600d8014282/output.txt is gone.
• The preview logs at http://54.241.84.105:8877/683680ffc99851b/output.txt also show that the Metalsmith target is faster than before: 185 ms now versus 657 ms for Wintersmith (see http://54.241.84.105:8877/bc4e600d8014282/output.txt).
• The templating language for Metalsmith is Nunjucks (.njk extension), which is actually from Mozilla (see https://github.com/mozilla/nunjucks) and is very similar to the well-known Jinja2 templating language. The layout is now simply HTML with a few variables, whereas previously for Wintersmith it required knowledge of the lesser known Jade templating language and CoffeeScript. Overall the new situation should be easier to work with.
• The package-lock.json file, which has the most changes in this patch, is reduced a lot because Wintersmith pulled in a big number of dependencies that we no longer need now. This is also shown by npm install which before this patch showed added 1334 packages, and audited 1792 packages and after this patch shows added 1201 packages, and audited 1202 packages.