LibreKAT/Ocideck
LibreKAT/Ocideck
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
Ocideck/assets/web_export/MANIFEST.json
Brenno de Winter f08055c7ae Upgrade vendored JS and add deps-check CVE gate (#3) 
Upgrade the JavaScript bundles inlined into the offline HTML export:
DOMPurify 3.1.7 -> 3.4.9 (clears 10 OSV advisories), marked 12.0.2 -> 18.0.5,
highlight.js 11.9.0 -> 11.11.1. mermaid 10.9.6 and MathJax 3.2.2 are kept
(no known CVEs) and now guarded rather than chased.

Pin every bundle in assets/web_export/MANIFEST.json (npm name, version, source,
sha256, licence) and add tool/check_bundled_js.dart: it verifies each file
still matches the manifest hash and queries the OSV database for known
vulnerabilities. Wired as `make deps-check`, into `check-full`, and into CI
next to the licence check. THIRD_PARTY_NOTICES.md updated for the now-standalone
DOMPurify bundle.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 22:16:29 +02:00

46 lines
2 KiB
JSON
Raw Blame History

{
"_comment": "Pinned inventory of the vendored JavaScript bundles inlined into the offline HTML export (see lib/services/marp_html_service.dart). Each entry records the npm package + exact version so `make deps-check` can query the OSV vulnerability database, and a sha256 so the same check can prove the on-disk file still matches this manifest (tamper / accidental-replacement guard). When you intentionally upgrade a bundle, update its version, source and sha256 here in the same commit.",
"ecosystem": "npm",
"bundles": [
{
"file": "marked.min.js",
"npm": "marked",
"version": "18.0.5",
"sha256": "2dc4769dfde29f51c7aca1a539c6407c789c8ea644cf8b7d01ded28a9c1d800b",
"source": "https://cdn.jsdelivr.net/npm/marked@18.0.5/lib/marked.umd.js",
"license": "MIT"
},
{
"file": "highlight.min.js",
"npm": "highlight.js",
"version": "11.11.1",
"sha256": "c4a399dd6f488bc97a3546e3476747b3e714c99c57b9473154c6fb8d259b9381",
"source": "https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.11.1/highlight.min.js",
"license": "BSD-3-Clause"
},
{
"file": "purify.min.js",
"npm": "dompurify",
"version": "3.4.9",
"sha256": "3c16cc90eb152b823b71b8585cd79e7fb7cd7a380157a800dfbd9459aad5f726",
"source": "https://cdn.jsdelivr.net/npm/dompurify@3.4.9/dist/purify.min.js",
"license": "Apache-2.0 OR MPL-2.0"
},
{
"file": "mermaid.min.js",
"npm": "mermaid",
"version": "10.9.6",
"sha256": "eda3a0ad572bbe69a318c1be0163e8233dd824f3f12939e5168feba207767151",
"source": "https://cdn.jsdelivr.net/npm/mermaid@10.9.6/dist/mermaid.min.js",
"license": "MIT"
},
{
"file": "tex-svg.js",
"npm": "mathjax",
"version": "3.2.2",
"sha256": "d4295dc33744836935c1399feece5159577b34c5c8ffb9f1c6324cd82e03a882",
"source": "https://cdn.jsdelivr.net/npm/mathjax@3.2.2/es5/tex-svg.js",
"license": "Apache-2.0"
}
]
}
Reference in a new issue View git blame Copy permalink