You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Most if not all (unfixable) vulnerabilities reported by npm audit originate from Wintersmith. This dependency hasn't been updated in 6 years and seems unmaintained, so it'd be good to replace it with a maintained alternative. Nowadays there likely are better Node.js static site generators that require fewer dependencies, so we should explore which options exist and how easy it is to transform our Wintersmith setup (hopefully this should be fairly simple because we only have a handful of pages).
Wintersmith is no longer maintained given that the most recent version
is from six years ago, and all vulnerabilities that NPM reports
originate from Wintersmith's dependencies. Metalsmith, and its plugins,
on the other hand have recently had releases and don't have known
vulnerabilities. In fact, the number of reported vulnerabilities by NPM
even goes down to zero with this patch applied.
This commit therefore replaces Wintersmith with Metalsmith by providing
a transparent drop-in replacement, in a way that requires the least
amount of changes to the code and the generated output.
Note that this patch does update our versions of jQuery, Bootstrap and
the Highlight.js theme because the previous versions were very outdated
and didn't work correctly with Metalsmith. Moreover, those old versions
contained vulnerabilities that are hereby fixed.
Fixesmozilla#18198.
Most if not all (unfixable) vulnerabilities reported by
npm audit
originate from Wintersmith. This dependency hasn't been updated in 6 years and seems unmaintained, so it'd be good to replace it with a maintained alternative. Nowadays there likely are better Node.js static site generators that require fewer dependencies, so we should explore which options exist and how easy it is to transform our Wintersmith setup (hopefully this should be fairly simple because we only have a handful of pages).It looks like Metalsmith (see https://www.npmjs.com/package/metalsmith and https://metalsmith.io) might be most similar to Wintersmith and seems maintained, but if other/better alternatives exists those can obviously also be considered.
The text was updated successfully, but these errors were encountered: