Replace Wintersmith with another static site generator #18198
Assignees
Labels
Comments
timvandermeij
added a commit
to timvandermeij/pdf.js
that referenced
this issue
Jun 14, 2024
Wintersmith is no longer maintained given that the most recent version is from six years ago, and all vulnerabilities that NPM reports originate from Wintersmith's dependencies. Metalsmith, and its plugins, on the other hand have recently had releases and don't have known vulnerabilities. In fact, the number of reported vulnerabilities by NPM even goes down to zero with this patch applied. This commit therefore replaces Wintersmith with Metalsmith by providing a transparent drop-in replacement, in a way that requires the least amount of changes to the code and the generated output. Note that this patch does update our versions of jQuery, Bootstrap and the Highlight.js theme because the previous versions were very outdated and didn't work correctly with Metalsmith. Moreover, those old versions contained vulnerabilities that are hereby fixed. Fixes mozilla#18198.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Most if not all (unfixable) vulnerabilities reported by
npm auditoriginate from Wintersmith. This dependency hasn't been updated in 6 years and seems unmaintained, so it'd be good to replace it with a maintained alternative. Nowadays there likely are better Node.js static site generators that require fewer dependencies, so we should explore which options exist and how easy it is to transform our Wintersmith setup (hopefully this should be fairly simple because we only have a handful of pages).It looks like Metalsmith (see https://www.npmjs.com/package/metalsmith and https://metalsmith.io) might be most similar to Wintersmith and seems maintained, but if other/better alternatives exists those can obviously also be considered.
The text was updated successfully, but these errors were encountered: