Find a better/simpler solution for lbry.tech #119

New issue

Closed

opened 2018-07-06 00:31:48 +02:00 by NetOpWibby · 2 comments

NetOpWibby commented 2018-07-06 00:31:48 +02:00 (Migrated from github.com)

Copy link

Not for immediate resolution

Vuepress, while a nice system for a small site has too many caveats for my liking. Modern routing is a mess, internal dependencies aren't updated thus making every site built with it susceptible to trolls, and it does a lot of "magic" under the hood that I don't have insight into aside from going through that repo's codebase. Not that magic is terrible but I shouldn't have to search DDG for 10 minutes to find the source of an error.

References

• DeprecationWarning: Tapable.plugin is deprecated. Use new API on .hooks instead https://stackoverflow.com/questions/49942558/deprecationwarning-tapable-plugin-is-deprecated-use-new-api-on-hooks-instea

• npm audit security report:

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-sass > node-gyp > request > hawk > boom > hoek          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-sass > node-gyp > request > hawk > cryptiles > boom >   │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-sass > node-gyp > request > hawk > hoek                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-sass > node-gyp > request > hawk > sntp > hoek          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ string                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > markdown-it-anchor > string                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/536                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ string                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > markdown-it-table-of-contents > string            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/536                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 6 vulnerabilities (4 moderate, 2 high) in 11895 scanned packages
  6 vulnerabilities require manual review. See the full report for details.

Alternatives

• Create custom site from scratch:
  • PROS:
    • Better control over dependencies. We're using a minor dependency that isn't updated as quickly as we'd like? Fork it and make it an internal dependency.
    • No more .html pages or placing a single file inside a folder just to get rid of .html
    • We know everything, like the Architect in the Matrix.
  • CONS:
    • Doing everything from scratch.
    • Don't have the benefit of merely plugging in content and going about our merry way.
• Some other platform:
  • TBD

Summary

I'm a huge fan of security and my inability to ensure this project is in fact secure gets on my nerves. The (minor) usability issues with routing and other things don't help.

fastify and choo would be a nice combo for the next iteration of .tech, coupled with a simple Markdown parser. We'll see.

# Not for immediate resolution Vuepress, while a nice system for a small site has too many caveats for my liking. Modern routing is a mess, internal dependencies aren't updated thus making every site built with it susceptible to trolls, and it does a lot of "magic" under the hood that I don't have insight into aside from going through that repo's codebase. _Not that magic is terrible but I shouldn't have to search DDG for 10 minutes to find the source of an error._ ### References - `DeprecationWarning: Tapable.plugin is deprecated. Use new API on .hooks instead` https://stackoverflow.com/questions/49942558/deprecationwarning-tapable-plugin-is-deprecated-use-new-api-on-hooks-instea - npm audit security report: ``` ┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ hoek │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ node-sass │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ node-sass > node-gyp > request > hawk > boom > hoek │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/566 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ hoek │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ node-sass │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ node-sass > node-gyp > request > hawk > cryptiles > boom > │ │ │ hoek │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/566 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ hoek │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ node-sass │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ node-sass > node-gyp > request > hawk > hoek │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/566 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ hoek │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ node-sass │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ node-sass > node-gyp > request > hawk > sntp > hoek │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/566 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ string │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ No patch available │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ vuepress │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ vuepress > markdown-it-anchor > string │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/536 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ string │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ No patch available │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ vuepress │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ vuepress > markdown-it-table-of-contents > string │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/536 │ └───────────────┴──────────────────────────────────────────────────────────────┘ found 6 vulnerabilities (4 moderate, 2 high) in 11895 scanned packages 6 vulnerabilities require manual review. See the full report for details. ``` ### Alternatives - Create custom site from scratch: + PROS: * Better control over dependencies. We're using a minor dependency that isn't updated as quickly as we'd like? Fork it and make it an internal dependency. * No more `.html` pages or placing a single file inside a folder just to get rid of `.html` * We know everything, like the Architect in the Matrix. + CONS: * Doing everything from scratch. * Don't have the benefit of merely plugging in content and going about our merry way. - Some other platform: + TBD ### Summary I'm a **huge** fan of security and my inability to ensure this project is in fact secure gets on my nerves. The (minor) usability issues with routing and other things don't help. [fastify](https://github.com/fastify/fastify) and [choo](https://github.com/choojs/choo) would be a nice combo for the next iteration of `.tech`, coupled with a simple Markdown parser. We'll see.

kauffj commented 2018-07-06 23:00:30 +02:00 (Migrated from github.com)

Copy link

I hate Vuepress routing so much that that is basically a sufficient reason to nuke it if it can't be adjusted.

I hate Vuepress routing so much that that is basically a sufficient reason to nuke it if it can't be adjusted.

NetOpWibby commented 2018-07-12 23:35:12 +02:00 (Migrated from github.com)

Copy link

Progress is being tracked in #121

Progress is being tracked in #121

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/npm_and_yarn/cacheable-request-and-got-10.2.7

dependabot/npm_and_yarn/http-cache-semantics-and-updates-4.1.1

dependabot/npm_and_yarn/json5-2.2.3

dependabot/npm_and_yarn/qs-6.5.3

dependabot/npm_and_yarn/decode-uri-component-0.2.2

trackers

dependabot/npm_and_yarn/undefsafe-2.0.5

dependabot/npm_and_yarn/node-fetch-2.6.7

dependabot/npm_and_yarn/markdown-it-12.3.2

BryanLunduke-patch-1

lbry_sdk_directory_refactor

seanyesmunt-patch-1

fix-build

lbrytv-api

devprogram-fixes

fix_some_bugs

android-build-steps-update

No results found.

Labels

Clear labels   

area: devops

  

area: discovery

  

area: docs

  

area: livestream

  

area: proposal

Work is part of a proposal

  

campaign-blocker

  

consider soon

Discuss this issue at the next planning meeting, then remove this label

  

Content

  

dependencies

Pull requests that update a dependency file

  

Epic

  

good first issue

Good for newcomers

  

hacktoberfest

Welcome to Hacktoberfest

  

help wanted

Extra attention is needed

  

icebox

Long-term storage

  

level: 1

No knowledge of the existing code required

  

level: 2

Some knowledge of the existing code is recommended

  

level: 3

Significant knowledge of the existing code is recommended

  

level: 4

Intimate knowledge of the existing code is recommended

  

needs: exploration

Solution unclear, needs research

  

needs: grooming

Issue needs to be groomed before work can start

  

needs: priority

Priority level needs to be defined

  

needs: repro

Issue needs step-by-step instructions on how to reproduce in latest code

  

needs: tech design

Needs technical design signoff before implementation can begin

  

on hold

Temporarily paused

  

priority: blocker

Issue is blocking release, do ASAP

  

priority: high

Work needs to be moved into sprint ASAP

  

priority: low

Work should be done but can stay in the backlog for now

  

priority: medium

Work needs to be done within 2-3 sprints

  

resilience

  

Tom's Wishlist

  

type: bug

Existing functionality is wrong or broken

  

type: discussion

A conversation. No specific changes requested

  

type: improvement

Existing (or partially existing) functionality needs to be changed

  

type: new feature

New functionality that does not exist yet

  

type: refactor

Minimal user-visible changes, but significant internal work

  

type: task

Either work that's not related to the code, or a small chore that does not fit into other categories

  

type: testing

Solution needs additional user testing

  

unplanned

Work that was not planned into the spirnt, took priority over planned work

No labels

area: devops

area: discovery

area: docs

area: livestream

area: proposal

campaign-blocker

consider soon

Content

dependencies

Epic

good first issue

hacktoberfest

help wanted

icebox

level: 1

level: 2

level: 3

level: 4

needs: exploration

needs: grooming

needs: priority

needs: repro

needs: tech design

on hold

priority: blocker

priority: high

priority: low

priority: medium

resilience

Tom's Wishlist

type: bug

type: discussion

type: improvement

type: new feature

type: refactor

type: task

type: testing

unplanned

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: LBRYCommunity/lbry.tech#119

No description provided.