Closed theecrit closed 2 years ago
I will definitely be looking at this issue for OBO.
I'm going to try to look into this next week for this project
Seeing some vulnerabilities when doing npm install
:
engine.io <4.0.0
Severity: high
Resource exhaustion in engine.io - https://github.com/advisories/GHSA-j4f2-536g-r55m
No fix available
node_modules/engine.io
socket.io 1.0.0-pre - 2.4.1
Depends on vulnerable versions of engine.io
node_modules/socket.io
browser-sync >=1.0.0
Depends on vulnerable versions of socket.io
node_modules/browser-sync
@11ty/eleventy *
Depends on vulnerable versions of browser-sync
Depends on vulnerable versions of markdown-it
Depends on vulnerable versions of pug
node_modules/@11ty/eleventy
node_modules/eleventy-navigation-bootstrap/node_modules/@11ty/eleventy
eleventy-navigation-bootstrap *
Depends on vulnerable versions of @11ty/eleventy
node_modules/eleventy-navigation-bootstrap
markdown-it <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
No fix available
node_modules/eleventy-navigation-bootstrap/node_modules/markdown-it
node_modules/markdown-it
@11ty/eleventy *
Depends on vulnerable versions of browser-sync
Depends on vulnerable versions of markdown-it
Depends on vulnerable versions of pug
node_modules/@11ty/eleventy
node_modules/eleventy-navigation-bootstrap/node_modules/@11ty/eleventy
eleventy-navigation-bootstrap *
Depends on vulnerable versions of @11ty/eleventy
node_modules/eleventy-navigation-bootstrap
pug <3.0.1
Severity: high
Remote code execution via the `pretty` option. - https://github.com/advisories/GHSA-p493-635q-r6gr
No fix available
node_modules/eleventy-navigation-bootstrap/node_modules/pug
@11ty/eleventy *
Depends on vulnerable versions of browser-sync
Depends on vulnerable versions of markdown-it
Depends on vulnerable versions of pug
node_modules/@11ty/eleventy
node_modules/eleventy-navigation-bootstrap/node_modules/@11ty/eleventy
eleventy-navigation-bootstrap *
Depends on vulnerable versions of @11ty/eleventy
node_modules/eleventy-navigation-bootstrap
All 3 reference eleventy, so I'm going to try the upgrade locally to see if it fixes any of these.
Site seems stable on localhost after #84.
The vulnerabilities on npm install
are still present, but those are dependencies used by eleventy, so there's a chance that trying to update the vulnerable packages manually (if that's even possible) will break eleventy itself.
Build is failing. See #84
Fixed in 4646b95a151316094024dc722052d5331b665380
Description
11ty has released its first stable v1.0.0 but it introduces breaking changes and needs to be updated thoughtfully. Details here: https://www.11ty.dev/blog/eleventy-one-point-oh/