Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Hide Old Themes #430
I suggest we hide themes that fit certain criteria. Here's two examples:
There are older themes that haven’t been updated for a year and still work with the current version of Hugo. So I am not in favor of an 18 month cut off time limit.
However there are also older themes that do not work with the current version of Hugo and throw errors. Currently there is no policy about these themes.
Maybe we should notify those theme authors about the need to update by opening issues in their theme repositories. If they don’t respond then we remove those themes from the website.
If they agree with me I could task myself with opening these GitHub issues to the relevant theme repositories.
I also favor the simpler approach but I also think that we need to add a Note about this somewhere in the Themes Repo's README.
Something along the lines of:
Anyway, I'm away at the moment but I will send the above in a PR once I can.
referenced this issue
Sep 22, 2018
while I can understand your intention for this issue I agree with the others that an 18 month limit or a minimum version number as threshold are not good metrics to decide whether a theme is outdated or not.
Yes some themes are outdated, some only build with ancient versions of Hugo but some of them are just dead simple (e.g. blog or one-page-themes) in the sense that they do not make use of more advanced features of Hugo or have been affected by deprecated ones.
Any ideas how we can track this easily without much overhead?
I know that it is not easy to remove a submodule, since it needs to be done manually as described here
But it seems that the
Of course the first 2 commands could be executed for multiple themes in the console and then make a single commit.
The downside is that we would need to
@digitalcraftsman I can send a PR that removes those themes that throw errors and don't have their Demo generated, but this will be done once I come back from my trip.
18 months was just a number, doesn't have to be specifically that.
Old themes are a problem and here's why.
Marketing / Public Perspective
Old themes look bad. It gives the wrong impression to new users that things in Hugo can be outdated, unmaintained, etc. Seeing themes reference Hugo v0.19 for example as far as what's supported or tested on looks bad.
For example, I checked out this repo and clones every single theme as well (my laptop wasn't happy). Then I ran
I'm not saying that a recently updated theme means it's 100% safe, but the chances of newer software and less vulnerabilities goes way up.
Newer themes should also serve as a showcase. Older themes may use deprecated features or not even work and the build process just hasn't caught this. I know personally this has affected me many times when looking for a theme to use. It just doesn't work even though it's on the site.
As Hugo grows, there will forever be more themes. Showcasing good ones is important for an ecosystem.
Even if older themes weren't removed, I think it was be smart to downplay older themes and feature newer themes.
You raise a lot of issues and I will try to be as brief as possible:
RE: Marketing / Public Perspective / Showcasing
I don't agree with your perspective about older themes. For example the Newsprint theme hasn't been updated since August 2017 but it still looks pretty good in my opinion and I just don't see why it should be removed/hidden/downplayed because it lists Hugo 0.25.1 as a minimum version. If its Demo didn't generate then that would be an issue but currently it works fine.
In my opinion Hugo Themes with jQuery should not be accepted, but that also means that the number of themes in this repository will reduce dramatically.
Also funky JS loading mechanisms (e.g.
Anyway I'll keep my eyes in this issue for any big policy changes.
@onedrawingperday If you click the download button for the Newsprint theme it 404s. That's the problem.
That jQuery CVE page you linked to is exactly what I was looking at when I mentioned security. We're literally on the same page there.
It seems that the Newsprint theme lives here: https://github.com/SamWhited/newsprint
OK. I will try to notify the author here.
@SamWhited it seems that you have deleted your theme's Bitbucket repository. Furthermore you have closed the GitHub issue tracker for your theme and moved it to Soquee, but I am not opening an account there.
You really need to update your theme's
Also this came up in the Forum today and it is relevant to your theme.
CC / @digitalcraftsman
It depends. But for the kind of functionality I see in Hugo Themes usually jQuery is not needed at all.
To be quite frank jQuery is a bit of a crutch for lazy people. It was useful once upon a time but in 2018 it's not important at all.
Anyway the above is my personal (harsh) opinion.
However the real reason I am proposing that we should not permit Hugo Themes with jQuery and WASM is security.
The way this repo is structured whenever the theme submodules are updated it is almost next to impossible to know what gets pushed.
Also this is a matter of trust between theme authors and users but as @felicianotech pointed out every jQuery version below v.3 is vulnerable and a lot of themes use the old and vulnerable versions of jQuery.
We simply cannot keep an eye on upcoming jQuery vulnerabilities ourselves and even if we do we would have to manually notify theme authors and tell them to upgrade their library and that is simply not possible.
However these security concerns about jQuery need to be addressed.
Regarding WASM as I posted above this technology introduces a new attack vector in the browser. There was at least one Hugo theme in the past that used this sort of thing. In my opinion this should also not be allowed.
That's okay; I probably shouldn't have added it to the themes page repo since I don't really want to maintain anything outside my own theme repo. Thanks for letting me know.
EDIT: Oh, I see, this is something in my repo, not in the themes repo. Also fixed.
Thanks for the heads up! I'll push a fix.
I didn't really see any information in that readme to help me update my theme; is there something broken or something in particular you wanted me to do? Thanks.
Nothing seems broken. I only directed you to the updated README so that you can have a look to the new section about Common Permalink Issues. We have seen older themes being updated with newer Hugo features only to have their Demos broken. This was just a side note.
Ok... I had a cursory look at the Hugo themes that use jQuery and it seems that not permitting it at all would affect many high profile Hugo themes such as Academic etc. (It doesn't really help that frameworks such as Foundation and Bootstrap utilize jQuery.)
Anyway I will water down my proposal and suggest that Hugo Themes that depend on jQuery should use version 3.0 as a minimum. Any themes that use an older version of jQuery should be removed from the Hugo Themes Site because of the security vulnerabilities mentioned above.
If these themes are upgraded they could be submitted again.
@felicianotech It would help the others to decide what to do about the security concerns you raised if you could compile a list with the Hugo themes that use jQuery versions below v.3.0
I could do this myself but I am away at the moment and I don't have the time for this until next week.