Pelican bootstrap 3: Update vendored dependencies #598
Conversation
This is required for upgrading the Sharrif version.
This includes a fix for a potential XSS issue.
|
Due to cve-2020-11022, using jQuery 3.5.x would be good. Thank you for working on this update. Would it be helpful if I put together a more targeted PR for just jQuery? |
|
@colinbrislawn: Sure, that would indeed be helpful. Thank you! @theMarix: Very sorry for the absurdly long delay in reviewing your pull request. If you would be willing to update this PR and resolve the conflicts, I would be happy to merge your improvement expeditiously. 💫 |
|
Hey, Justin. I've got testing set up and am working on this now. Several libraries here are >5 years out of date, shipping jQuery from 2013 and 2015. What PR should I submit? One dealing only with pelican-bootstrap3, or with one that updates older jQuery more generally? |
|
Perhaps let's start with pelican-bootstrap3, and then we can proceed to update jQuery in a more general way. How does that sound? For pelican-bootstrap3, which plugins have been deprecated? |
This updates the vendored dependencies in the Pelican-Boostrap3 theme. My main goal was to upgrade Shariff. Version 3.0.1 does feature a fix for an XSS vulnerability, although this is probably less important for statically generated sites. It does however also offer other features, like new services supported. Sadly this meant also to upgrade fontawesome, which sent me down a rabbit hole.
In addition I also upgraded Bootstrap to the latest 3.x version and jQuery.