Giters

r-lib / pkgdown

Generate static html documentation for an R package

Home Page:https://pkgdown.r-lib.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

how to upgrade to newer jquery version

espinielli opened this issue · comments

commented

Pkgdown 2,0,7 ships with jquery 3.4.1 which is currently tagged as vulnerable (CVE-2020-23064, CVE-2020-11023, CVE-2020-11022).
I would like to know whether there is an official procedure to upgrade to newer/different versions of jquery.

I post-processed the built site with the following script and it works, but I am not sure I am doing the correct thing and eventually how to integrate it into the pkgdown GHA.

url_pkgdown <- '<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script>'
url_new  <- '<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.js" integrity="sha512-+k1pnlgt4F1H8L7t3z95o3/KO+o78INEcXTbnoJQ/F2VqDVhWoaiVml/OEHv9HsVgxUaVW+IbiZPUJQfF/YxZw==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>'

for (file in list.files('docs/', pattern = "*.html", full.names = TRUE, recursive = TRUE)) {
  readLines(file)  |> 
    sub(pattern = url_pkgdown, replacement = url_new, x = _, fixed = TRUE) |> 
    writeLines(file)
}
commented

I found out how to add the above snippet of post processing.
The build step in GHA becomes:

      - name: Build site
        run: |
          pkgdown::build_site_github_pages(new_process = FALSE, install = FALSE)
          url_pkgdown <- '<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script>'
          url_new  <- '<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.js" integrity="sha512-+k1pnlgt4F1H8L7t3z95o3/KO+o78INEcXTbnoJQ/F2VqDVhWoaiVml/OEHv9HsVgxUaVW+IbiZPUJQfF/YxZw==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>'
          for (file in list.files('docs/', pattern = "*.html", full.names = TRUE, recursive = TRUE)) {
            readLines(file)  |>
            sub(pattern = url_pkgdown, replacement = url_new, x = _, fixed = TRUE) |>
            writeLines(file)
          }
        shell: Rscript {0}

see the relevant GHA file.

Still I would welcome any official feedback on this topic.

commented

I think this is likely low risk for pkgdown sites (since they don't have access to user data and are typically served 100% statically), but I'll take a look next week and try and get a quick release out.

commented

This looks like it's only a problem with BS3 support, so you can also fix the problem by upgrading to BS5.