Update 11ty to latest version - Githubissues

openoakland / funding-public-safety

Helping Oaklanders understand the real impacts of public safety funding.

https://openoakland.github.io/funding-public-safety/

4 stars 6 forks source link

Update 11ty to latest version #81

Closed theecrit closed 2 years ago

theecrit commented 2 years ago

Description

11ty has released its first stable v1.0.0 but it introduces breaking changes and needs to be updated thoughtfully. Details here: https://www.11ty.dev/blog/eleventy-one-point-oh/

nydame commented 2 years ago

I will definitely be looking at this issue for OBO.

aemann2 commented 2 years ago

I'm going to try to look into this next week for this project

aemann2 commented 2 years ago

Seeing some vulnerabilities when doing npm install:

engine.io  <4.0.0
Severity: high
Resource exhaustion in engine.io  - https://github.com/advisories/GHSA-j4f2-536g-r55m
No fix available
node_modules/engine.io
  socket.io  1.0.0-pre - 2.4.1
  Depends on vulnerable versions of engine.io
  node_modules/socket.io
    browser-sync  >=1.0.0
    Depends on vulnerable versions of socket.io
    node_modules/browser-sync
      @11ty/eleventy  *
      Depends on vulnerable versions of browser-sync
      Depends on vulnerable versions of markdown-it
      Depends on vulnerable versions of pug
      node_modules/@11ty/eleventy
      node_modules/eleventy-navigation-bootstrap/node_modules/@11ty/eleventy
        eleventy-navigation-bootstrap  *
        Depends on vulnerable versions of @11ty/eleventy
        node_modules/eleventy-navigation-bootstrap

markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
No fix available
node_modules/eleventy-navigation-bootstrap/node_modules/markdown-it
node_modules/markdown-it
  @11ty/eleventy  *
  Depends on vulnerable versions of browser-sync
  Depends on vulnerable versions of markdown-it
  Depends on vulnerable versions of pug
  node_modules/@11ty/eleventy
  node_modules/eleventy-navigation-bootstrap/node_modules/@11ty/eleventy
    eleventy-navigation-bootstrap  *
    Depends on vulnerable versions of @11ty/eleventy
    node_modules/eleventy-navigation-bootstrap

pug  <3.0.1
Severity: high
Remote code execution via the `pretty` option. - https://github.com/advisories/GHSA-p493-635q-r6gr
No fix available
node_modules/eleventy-navigation-bootstrap/node_modules/pug
  @11ty/eleventy  *
  Depends on vulnerable versions of browser-sync
  Depends on vulnerable versions of markdown-it
  Depends on vulnerable versions of pug
  node_modules/@11ty/eleventy
  node_modules/eleventy-navigation-bootstrap/node_modules/@11ty/eleventy
    eleventy-navigation-bootstrap  *
    Depends on vulnerable versions of @11ty/eleventy
    node_modules/eleventy-navigation-bootstrap

All 3 reference eleventy, so I'm going to try the upgrade locally to see if it fixes any of these.

aemann2 commented 2 years ago

Site seems stable on localhost after #84.

The vulnerabilities on npm install are still present, but those are dependencies used by eleventy, so there's a chance that trying to update the vulnerable packages manually (if that's even possible) will break eleventy itself.

aemann2 commented 2 years ago

Build is failing. See #84

aemann2 commented 2 years ago

Fixed in 4646b95a151316094024dc722052d5331b665380