diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 00000000..c2f51361
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,7 @@
+paths-ignore:
+ - "_scripts/cronitor-analytics-setup.js"
+ - "_scripts/open-panel-analytics-setup.js"
+ - "_scripts/search.liquid.js"
+ - "_scripts/giscus-setup.js"
+ - "_scripts/google-analytics-setup.js"
+ - "_scripts/photoswipe-setup.js"
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..946c3b27
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "daily"
+
+ - package-ecosystem: "bundler"
+ directory: "/"
+ schedule:
+ interval: "weekly"
diff --git a/.github/workflows/axe.yml b/.github/workflows/axe.yml
index afa3c922..e07382df 100644
--- a/.github/workflows/axe.yml
+++ b/.github/workflows/axe.yml
@@ -25,7 +25,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout ๐๏ธ
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
@@ -59,7 +59,7 @@ jobs:
echo "CHROMIUM_VERSION=$CHROMIUM_VERSION" >> $GITHUB_ENV
- name: Setup Chrome ๐
id: setup-chrome
- uses: browser-actions/setup-chrome@v1
+ uses: browser-actions/setup-chrome@v2
with:
chrome-version: ${{ env.CHROMIUM_VERSION }}
- name: Install chromedriver ๐
diff --git a/.github/workflows/broken-links-site.yml b/.github/workflows/broken-links-site.yml
index a62684d2..28a2c265 100644
--- a/.github/workflows/broken-links-site.yml
+++ b/.github/workflows/broken-links-site.yml
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout ๐๏ธ
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
@@ -40,7 +40,7 @@ jobs:
npm install -g purgecss
purgecss -c purgecss.config.js
- name: Link Checker ๐
- uses: lycheeverse/lychee-action@v2.0.2
+ uses: lycheeverse/lychee-action@v2.7.0
with:
fail: true
# only check local links
diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
index d23c0117..c286757c 100644
--- a/.github/workflows/broken-links.yml
+++ b/.github/workflows/broken-links.yml
@@ -44,10 +44,10 @@ jobs:
# only run on the main repo
if: github.repository == 'alshedivat/al-folio'
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
- name: Link Checker ๐
- uses: lycheeverse/lychee-action@v2.0.2
+ uses: lycheeverse/lychee-action@v2.7.0
with:
fail: true
# removed md files that include liquid tags
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d09a3b57..3f75b586 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -57,14 +57,15 @@ jobs:
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v3
+ uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
+ config-file: .github/codeql/codeql-config.yml
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
@@ -89,6 +90,6 @@ jobs:
exit 1
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3
+ uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/deploy-docker-tag.yml b/.github/workflows/deploy-docker-tag.yml
index d7710e26..0093f70a 100644
--- a/.github/workflows/deploy-docker-tag.yml
+++ b/.github/workflows/deploy-docker-tag.yml
@@ -20,7 +20,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
@@ -41,7 +41,7 @@ jobs:
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push
- uses: docker/build-push-action@v5
+ uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64/v8
diff --git a/.github/workflows/deploy-image.yml b/.github/workflows/deploy-image.yml
index 7ddd8f65..ad457e9b 100644
--- a/.github/workflows/deploy-image.yml
+++ b/.github/workflows/deploy-image.yml
@@ -21,7 +21,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
@@ -36,7 +36,7 @@ jobs:
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push
- uses: docker/build-push-action@v5
+ uses: docker/build-push-action@v6
with:
context: .
push: true
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 5fb7e8ae..7d3f2e49 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -70,14 +70,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout ๐๏ธ
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Setup Ruby ๐
uses: ruby/setup-ruby@v1
with:
ruby-version: "3.3.5"
bundler-cache: true
- name: Setup Python ๐
- uses: actions/setup-python@v5
+ uses: actions/setup-python@v6
with:
python-version: "3.13"
cache: "pip" # caching pip dependencies
diff --git a/.github/workflows/docker-slim.yml b/.github/workflows/docker-slim.yml
index b342ef66..7f9e7caa 100644
--- a/.github/workflows/docker-slim.yml
+++ b/.github/workflows/docker-slim.yml
@@ -25,7 +25,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Login
uses: docker/login-action@v3
diff --git a/.github/workflows/lighthouse-badger.yml b/.github/workflows/lighthouse-badger.yml
index addec2d3..59f784d1 100644
--- a/.github/workflows/lighthouse-badger.yml
+++ b/.github/workflows/lighthouse-badger.yml
@@ -46,12 +46,12 @@ jobs:
echo "BRANCH=$BRANCH" >> $GITHUB_ENV
env:
REPO_BRANCH: ${{ env.REPO_BRANCH }}
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
with:
repository: ${{ env.REPOSITORY }}
token: ${{ secrets.LIGHTHOUSE_BADGER_TOKEN }}
ref: ${{ env.BRANCH }}
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
with:
repository: "myactionway/lighthouse-badges"
path: temp_lighthouse_badges_nested
diff --git a/.github/workflows/prettier-comment-on-pr.yml b/.github/workflows/prettier-comment-on-pr.yml
index e95075ce..1714b019 100644
--- a/.github/workflows/prettier-comment-on-pr.yml
+++ b/.github/workflows/prettier-comment-on-pr.yml
@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: PR comment with html diff ๐ฌ
- uses: thollander/actions-comment-pull-request@v2
+ uses: thollander/actions-comment-pull-request@v3
with:
comment_tag: prettier-failed
pr_number: ${{ github.event.client_payload.pr_number }}
diff --git a/.github/workflows/prettier-html.yml b/.github/workflows/prettier-html.yml
index 3dc4326e..cc993471 100644
--- a/.github/workflows/prettier-html.yml
+++ b/.github/workflows/prettier-html.yml
@@ -8,7 +8,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout gh-pages branch
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
ref: gh-pages
@@ -16,7 +16,7 @@ jobs:
run: find . -type f -name "*.html" -exec sed -i 's/<\/source>//g' {} +
- name: Set up Node.js
- uses: actions/setup-node@v4
+ uses: actions/setup-node@v6
- name: Install Prettier
run: npm install -g prettier
diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml
index 60446c8d..eb102bce 100644
--- a/.github/workflows/prettier.yml
+++ b/.github/workflows/prettier.yml
@@ -16,9 +16,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout ๐๏ธ
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Setup Node.js โ๏ธ
- uses: actions/setup-node@v4
+ uses: actions/setup-node@v6
- name: Install Prettier ๐พ
run: npm install --save-dev --save-exact prettier @shopify/prettier-plugin-liquid
- name: Prettier Check ๐
@@ -35,14 +35,14 @@ jobs:
- name: Upload html diff โฌ๏ธ
id: artifact-upload
if: ${{ failure() && steps.prettier.conclusion == 'failure' }}
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@v5
with:
name: HTML Diff
path: diff.html
retention-days: 7
- name: Dispatch information to repository ๐ฃ๏ธ
if: ${{ failure() && steps.prettier.conclusion == 'failure' && github.event_name == 'pull_request' }}
- uses: peter-evans/repository-dispatch@v2
+ uses: peter-evans/repository-dispatch@v4
with:
event-type: prettier-failed-on-pr
client-payload: '{"pr_number": "${{ github.event.number }}", "artifact_url": "${{ steps.artifact-upload.outputs.artifact-url }}", "run_id": "${{ github.run_id }}"}'
diff --git a/.github/workflows/update-citations.yml b/.github/workflows/update-citations.yml
index 3335d7ec..838cc2ac 100644
--- a/.github/workflows/update-citations.yml
+++ b/.github/workflows/update-citations.yml
@@ -13,13 +13,13 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
# See CUSTOMIZE.md for details on how to set up PAT for triggering subsequent workflows
# with:
# token: ${{ secrets.PAT }}
- name: Set up Python
- uses: actions/setup-python@v4
+ uses: actions/setup-python@v6
with:
python-version: "3.13"
diff --git a/.github/workflows/update-tocs.yml b/.github/workflows/update-tocs.yml
index 3567ee82..6da6aae1 100644
--- a/.github/workflows/update-tocs.yml
+++ b/.github/workflows/update-tocs.yml
@@ -18,13 +18,13 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
with:
fetch-depth: 0 # OR "2" -> To retrieve the preceding commit.
- name: Get changed files
id: changed-files
- uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46
+ uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v46
with:
files: ./*.md
@@ -45,6 +45,6 @@ jobs:
- name: Commit changes
if: steps.changed-files.outputs.any_changed == 'true'
- uses: stefanzweifel/git-auto-commit-action@v5.0.1
+ uses: stefanzweifel/git-auto-commit-action@v7.0.0
with:
commit_message: Auto update markdown TOC
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..dd3e51c0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| ------- | ------------------ |
+| 0.1.x | :white_check_mark: |
+| 0.0.x | :x: |
+
+(not applicable, really)
+
+## Reporting a Vulnerability
+
+Please report any vulnerability as issue, with PR if possible.
+
+Updates on reported vulnerabilities are _not_ guaranteed to be dealt with in a timely fashion: if the vulnerability is accepted a patch will be deployed as soon as it is ready, when
+declined the corresponding issue will be closed, possibly with an explanation.
diff --git a/_config.yml b/_config.yml
index 737e395e..00200e84 100644
--- a/_config.yml
+++ b/_config.yml
@@ -18,8 +18,8 @@ keywords: jekyll, jekyll-theme, academic-website, portfolio-website # add your o
lang: en # the language of your site (for example: en, fr, cn, ru, etc.)
icon: โ๏ธ # the emoji used as the favicon (alternatively, provide image name in /assets/img/)
-url: https://alshedivat.github.io # the base hostname & protocol for your site
-baseurl: /al-folio # the subpath of your site, e.g. /blog/. Leave blank for root
+url: https://prosodiac.github.io # the base hostname & protocol for your site
+baseurl: # the subpath of your site, e.g. /blog/. Leave blank for root
last_updated: false # set to true if you want to display last updated in the footer
impressum_path: # set to path to include impressum link in the footer, use the same path as permalink in a page, helps to conform with EU GDPR
back_to_top: true # set to false to disable the back to top button
diff --git a/_layouts/default.liquid b/_layouts/default.liquid
index ea103706..3c2dea8b 100644
--- a/_layouts/default.liquid
+++ b/_layouts/default.liquid
@@ -13,6 +13,7 @@
{% endif %}
{% include head.liquid %}
+
diff --git a/_plugins/openssl_verify_flags_patch.rb b/_plugins/openssl_verify_flags_patch.rb
new file mode 100644
index 00000000..464479f7
--- /dev/null
+++ b/_plugins/openssl_verify_flags_patch.rb
@@ -0,0 +1,35 @@
+# _plugins/openssl_verify_flags_patch.rb
+
+require "openssl"
+
+# 1. Make sure DEFAULT_PARAMS doesn't include :verify_flags,
+# since on your build SSLContext doesn't define verify_flags=
+if OpenSSL::SSL::SSLContext.const_defined?(:DEFAULT_PARAMS)
+ params = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+
+ # Avoid calling a non-existent verify_flags=
+ params.delete(:verify_flags)
+
+ # 2. Add a verify_callback that *only* ignores the CRL retrieval error,
+ # and otherwise keeps normal verification.
+ params[:verify_callback] = lambda do |preverify_ok, store_ctx|
+ error = store_ctx.error
+
+ # Ignore only: X509_V_ERR_UNABLE_TO_GET_CRL
+ if error == OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL
+ true
+ else
+ preverify_ok
+ end
+ end
+end
+
+# 3. Define a no-op verify_flags= so that if anything tries to set it
+# at runtime, it doesn't crash.
+class OpenSSL::SSL::SSLContext
+ unless method_defined?(:verify_flags=)
+ def verify_flags=(_flags)
+ # no-op: ignore verify_flags on this build
+ end
+ end
+end
diff --git a/assets/js/distillpub/template.v2.js b/assets/js/distillpub/template.v2.js
index 4c7667ea..a622c553 100644
--- a/assets/js/distillpub/template.v2.js
+++ b/assets/js/distillpub/template.v2.js
@@ -2692,19 +2692,27 @@ d-citation-list .references .title {
},
tokenize: function (text, grammar) {
+ // Make a prototype-less safe copy of grammar, to prevent prototype pollution
+ var safeGrammar = Object.create(null);
+ for (var key in grammar) {
+ if (Object.prototype.hasOwnProperty.call(grammar, key)) {
+ if (key === "__proto__" || key === "constructor" || key === "prototype") continue;
+ safeGrammar[key] = grammar[key];
+ }
+ }
var rest = grammar.rest;
if (rest) {
for (var token in rest) {
- grammar[token] = rest[token];
+ if (token === "__proto__" || token === "constructor" || token === "prototype") continue;
+ safeGrammar[token] = rest[token];
}
-
- delete grammar.rest;
+ // Don't mutate original grammar (could be shared by others)
+ //delete grammar.rest;
}
-
var tokenList = new LinkedList();
addAfter(tokenList, tokenList.head, text);
- matchGrammar(text, tokenList, grammar, tokenList.head, 0);
+ matchGrammar(text, tokenList, safeGrammar, tokenList.head, 0);
return toArray(tokenList);
},
@@ -3087,7 +3095,7 @@ d-citation-list .references .title {
comment: //,
prolog: /<\?[\s\S]+?\?>/,
doctype: {
- pattern: /"'[\]]|"[^"]*"|'[^']*')+(?:\[(?:(?!)*\]\s*)?>/i,
+ pattern: /"'[\]]|"[^"]*"|'[^']*')+(?:\[(?:(?!)*\]\s*)?>/i,
greedy: true,
},
cdata: //i,
@@ -3330,7 +3338,7 @@ d-citation-list .references .title {
Prism.languages.insertBefore("javascript", "keyword", {
regex: {
pattern:
- /((?:^|[^$\w\xA0-\uFFFF."'\])\s])\s*)\/(?:\[(?:[^\]\\\r\n]|\\.)*]|\\.|[^/\\\[\r\n])+\/[gimyus]{0,6}(?=(?:\s|\/\*[\s\S]*?\*\/)*(?:$|[\r\n,.;:})\]]|\/\/))/,
+ /((?:^|[^$\w\xA0-\uFFFF."'\])\s])\s*)\/(?:\[(?:[^\]\\\r\n]|\\.)*]|\\.|[^/\\\[\r\n])+\/[gimyus]{0,6}(?=(?:\s|\/\*(?:[^*]|\*(?!\/))*\*\/)*(?:$|[\r\n,.;:})\]]|\/\/))/,
lookbehind: true,
greedy: true,
},
@@ -4235,7 +4243,7 @@ ${css}
if (this.hasAttribute("block")) {
// normalize the tab indents
- content = content.replace(/\n/, "");
+ content = content.replace(/\n/g, "");
const tabs = content.match(/\s*/);
content = content.replace(new RegExp("\n" + tabs, "g"), "\n");
content = content.trim();
@@ -4672,6 +4680,16 @@ d-references {
Table of contents
`;
+ // HTML escaping function to prevent XSS in TOC entries
+ function escapeHTML(str) {
+ return String(str)
+ .replace(/&/g, "&")
+ .replace(//g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
+ }
+
for (const el of headings) {
// should element be included in TOC?
const isInTitle = el.parentElement.tagName == "D-TITLE";
@@ -4681,7 +4699,7 @@ d-references {
const title = el.textContent;
const link = "#" + el.getAttribute("id");
- let newLine = "- " + '' + title + "" + "
";
+ let newLine = "- " + '' + escapeHTML(title) + "" + "
";
if (el.tagName == "H3") {
newLine = "";
} else {
diff --git a/build_and_serve.sh b/build_and_serve.sh
new file mode 100755
index 00000000..e7109847
--- /dev/null
+++ b/build_and_serve.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# Filename: build_and_serve.sh
+# Usage: run from the root of your al-folio / Jekyll repo
+
+set -e
+
+# 1. Clean previous build
+echo "Cleaning old buildโฆ"
+rm -rf _site
+
+# 2. Install dependencies if needed
+if [ -f Gemfile ]; then
+ echo "Installing Ruby / Jekyll dependenciesโฆ"
+ bundle install
+fi
+
+# 3. Build the site
+echo "Building site via Jekyll..."
+bundle exec jekyll build --trace
+
+BUILD_DIR="_site"
+if [ ! -d "$BUILD_DIR" ]; then
+ echo "ERROR: build failed โ $_site/ not found"
+ exit 1
+fi
+
+echo "Build succeeded. Serving $_site/ via local HTTP serverโฆ"
+echo "Press CTRL+C to stop"
+
+# 4. Serve with Python 3 http.server
+# On Python 3, this serves current directory contents over HTTP.
+cd "$BUILD_DIR"
+python3 -m http.server 8000
diff --git a/fix_ssl.rb b/fix_ssl.rb
new file mode 100644
index 00000000..6472c432
--- /dev/null
+++ b/fix_ssl.rb
@@ -0,0 +1,3 @@
+require 'openssl'
+OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:verify_flags] &=
+ ~(OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
diff --git a/requirements.txt b/requirements.txt
index 78b0dcfa..ea9d4cac 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,3 @@
-nbconvert
+nbconvert; platform_system != "Windows"
pyyaml
scholarly