staticman
staticman copied to clipboard
eduardoboucas
Vulnerabilities
I would like to host the staticman repository on heroku but when I download it with "git clone" and then run the "npm install" command, at least 1000 vulnerabilities of which 7 serious are found. Even running "npm update" or "npm audit fix" still remain several vulnerabilities. Is there a way to solve these vulnerabilities by updating the dependencies and is there any difference with the "deploy on heroku" button on the repo? Does this option ("deploy on heroku") run a newer version of staticman or is it affected by the same vulnerabilities?
P.S. thanks to this repository, I approached the world of nodejs, I open this issue just to understand.
Welcome to the NodeJS world @0xFEDERICO !
I don't know exactly how Heroku button works but I'm pretty sure it will deploy whatever is in master/main branch right now.
Unfortunately afaik at the moment npm has no built-in way to upgrade all packages dependencies and you should use something like ncu for that purpose
Thanks @shaftoe for the reply, I'm going in to see ncu, I didn't know it. Thank you!
it also appears in doing so it updates gitlab and that looks to remove es5 from it and now I get
{ Error: Cannot find module 'gitlab/dist/es5'
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:582:15)
at Function.Module._load (internal/modules/cjs/loader.js:508:25)
at Module.require (internal/modules/cjs/loader.js:637:17)
at require (internal/modules/cjs/helpers.js:22:18)
at Object.
@0xFEDERICO @shaftoe I have created a fork (and submitted a PR) That updates the packages and the code to work with the packages, at least for github. With the PR below I created a PR in my git repo. https://github.com/tikicoder/staticman https://github.com/eduardoboucas/staticman/pull/383
I'm sorry @tikicoder but I'm not active on Staticman anymore, I'm currently developing a very stripped down alternative to Staticman based on Probot called static-comments and you are welcome to contribute, give feedback, etc.:
https://github.com/shaftoe/static-comments
@shaftoe I will have to make note of it, if I knew about that before I got staticman working locally and hopefully in GCP connected to my GitHub I would have completely made the shift. However, now that I have made the change not sure I want to change unless it runs on serverless (functions as a service ), like GCP cloud functions, AWS lambda, or Azure functions. IF so I will probably make sure and switch sooner than later.
First glance it looks like its missing at least 1 key piece (Google reCaptcha), and I just got that working on staticman. Either that or at some point I might roll my own, piviot my forked staticman. It looks like this community isn't as active as it once was.
@tikicoder I started the project just a few days ago anyway (and yes, mostly because Staticman feels a little abandoned but most importantly I personally need just a small subset of features), no need to feel frustration about not jumping in earlier on 😉
So far I didn't have any need for a recaptcha for my personal website (https://a.l3x.in) which is very low traffic, sounds like a sensible feature to have though. Please feel free to open an issue/pull request on static-comments and who knows maybe it will get done (doesn't sound too complicated but I don't actually know, I might even try to implement that myself).
Serverless: that was my initial idea but I put that on hold when I saw Probot has announced that the next version (v11) will be mostly dedicated to add serverless support for various platforms. Please feel free to join the conversation and drop your ideas there too: https://github.com/probot/probot/milestone/4
@shaftoe What I am thinking of doing is taking my fork and killing all endpoints minus 2, the encrypt and the entry. Then adding the functionality to limit the repo and the branches that you submit to as part of the settings. All the rest is fluff.
@tikicoder how about GH auth? at the moment using Probot (or static-comments) has the benefit of making it a GH app, which means you get repo-level auth out of the box (doesn't address limiting branch access though, I never thought it might be needed). I'm not sure that is possible with Staticman, or at least it's not well documented.
Out of curiosity, what's your use case for the /encrypt endpoint?
@shaftoe I used that to encrypt the recaptcha server secret.
I know gh app would be better. Staticman I just updated the entry endpoint to ensure the branch and property is what I expect and if not I reject it. I need to test but it should work.
Since I am not as familiar with this, small changes until I can do it right, or a better solution has the minimum I need without spending a lot to add it.