fix: reduce security vulnarabilities

[levino]

fix #24 by removing packages that are using outdated and vulnerable versions of handlebars also updating packages that bring security vulnerabilities

pnpm audit --audit-level critical does not report any more critical vulnerabilities now. There are still 14 high, 10 moderate and 2 low vulnerabilities though which we might want to address too.

I know that this slashing of themes seems harsh, but imo it is infeasible to execute that code based on user input on a server.

Todo:

• update homepage

Summary by CodeRabbit

• New Features

  • Introduced new resume themes including "github2," "autumn," "kards," and more for enhanced customization options.

• Improvements

  • Updated the default theme for resume previews to "kendall" for a more modern look.

• Bug Fixes

  • Removed non-functional "Broken - Being repaired" themes section to improve user experience.

• Documentation

  • Updated theme documentation to reflect the new and removed themes.

• Chores

  • Added "webrick" gem to the project for improved HTTP server capabilities.

[coderabbitai]

Walkthrough

The recent updates to the project involve a significant overhaul of the resume themes and an enhancement to the server capabilities. Numerous outdated or potentially insecure themes have been removed, while new, modern themes have been introduced. Additionally, the inclusion of the webrick gem suggests an improvement in the project's HTTP server functionality, possibly addressing security concerns.

Changes

File Path	Change Summary
apps/registry/pages/api/formatters/template.js	Removed multiple themes; added new themes like "github2"
apps/homepage/Gemfile	Added "webrick" gem with version "~> 1.8"
apps/homepage/themes.html	Updated theme URL; removed "Broken - Being repaired" section

Assessment against linked issues

Objective	Addressed	Explanation
#24: Fix security issues by addressing dependabot alerts and potentially removing themes	✅	The removal of numerous themes and the update of the homepage to reflect these changes suggest an effort to mitigate security risks associated with outdated or vulnerable themes.

Poem

In the code's garden, themes bloom and fade, 🌱🍂
As webrick stands guard, no threat shall invade. 🛡️
With each pull and push, the project refines,
A rabbit hops through, leaving clean code lines. 🐇💻

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• If you reply to a review comment from CodeRabbit, the bot will automatically respond.
• To engage with CodeRabbit bot directly around the specific lines of code in the PR, mention @coderabbitai in your review comment
• Note: Review comments are made on code diffs or files, not on the PR overview.
• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Note: For conversation with the bot, please use the review comments on code diffs or files.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
jsonresume-org-homepage	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Nov 27, 2023 2:28pm
jsonresume-org-registry	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Nov 27, 2023 2:28pm

[levino]

Maybe we also should add a ci script that checks for security vulnerabilities on PRs. It might be annoying for some users because the security vulnerability might just have popped up and have nothing to do with their code. But it also would make sure that people do not try to bring in (bring back) old and vulnerable themes...

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between ebb20bf and 626ec57.

Files ignored due to filter (2)

• apps/registry/package.json
• pnpm-lock.yaml

Files selected for processing (1)

• apps/registry/pages/api/formatters/template.js (1 hunks)

Additional comments: 1

apps/registry/pages/api/formatters/template.js (1)

• 3-36: The removal of several themes due to security concerns is noted. Ensure that any references to these themes in the codebase or documentation have been updated to reflect their removal. Additionally, verify that the newly added "github2" theme is integrated correctly and does not introduce any security vulnerabilities.

[levino]

Here is a nice example. It should be possible to just use handlebars@^4 but nobody has cared to update the theme in 9 years. The alleged github repo holding the code has also gone.

[thomasdavis]

Getting rid of the critical's are nice but the functions don't have any private data or authentication so pretty low risk imo.

Happy to cull the themes, I am just making a mental note to fix up the onepage one as I believe a bunch of people use it.

[ObserverOfTime]

You could set overrides to force the themes to use a newer version of handlebars and only remove the ones that break.

[levino]

Thank you @ObserverOfTime for the idea. This is my opinion on the matter: In principle that would work. However I could also go and make PRs to the repos of the themes, updating the handlebars dependency. I fear that nobody will care about my PRs, not to speak of making a new release after merging them. I think it is okay to remove these themes since they are abandoned. At least that is what I have to assume, looking at the facts. If some of them are really popular and the maintainers have gone, then we should rather copy the code, add it to this repo here and take over control. Monkey patching third party libraries (which is the baseline of what you propose) is fun, but it just does not scale and brings a lot of headaches. Better be in control.

[levino]

This we like. We want to fix it and bring it back.

[levino]

Homepage /themes looks a bit sad now. But truth is: Most of these themes where broken or using broken technology. What can one do? Better work on getting more themes up which a re nice and shiny, I say.

[levino]

I do not believe in miracles. When people decide to fix their themes, I welcome them back. Until then this is just a "hm...." from the user perspective. I suggest to not talk about broken themes on the homepage.

[coderabbitai]

Review Status

Actionable comments generated: 3

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 5334e46 and fcf47e7.

Files ignored due to filter (6)

• apps/homepage/Gemfile.lock
• apps/homepage/_data/broken.yml
• apps/homepage/_data/themes.yaml
• apps/homepage/package.json
• apps/registry/package.json
• pnpm-lock.yaml

Files selected for processing (3)

• apps/homepage/Gemfile (1 hunks)
• apps/homepage/themes.html (2 hunks)
• apps/registry/pages/api/formatters/template.js (1 hunks)

Additional comments: 1

apps/homepage/Gemfile (1)

• 4-4: The addition of "webrick" gem is noted. Ensure that this gem is compatible with the current Ruby version and other gems, especially "github-pages". Also, verify that this addition aligns with the project's requirements for local web serving or handling HTTP requests.

[coderabbitai]

The text of the anchor tag still references the old theme "flat" while the href attribute has been updated to "kendall". The text should match the href to avoid confusion.

- >https://registry.jsonresume.org/thomasdavis?theme=flat</a
+ >https://registry.jsonresume.org/thomasdavis?theme=kendall</a

---

Committable suggestion

❗ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	<a href="https://registry.jsonresume.org/thomasdavis?theme=kendall"
	>https://registry.jsonresume.org/thomasdavis?theme=flat</a
	<a href="https://registry.jsonresume.org/thomasdavis?theme=kendall"
	>https://registry.jsonresume.org/thomasdavis?theme=kendall</a

[coderabbitai]

The clear: both; style is incorrectly placed as content within a div. It should be within a style attribute or a class.

- <div class="clear: both;"></div>
+ <div style="clear: both;"></div>

---

Committable suggestion

❗ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	<div class="clear: both;"></div>
	<div style="clear: both;"></div>

[coderabbitai]

The getTheme function's error handling is not effective. Accessing a non-existent property on an object in JavaScript returns undefined rather than throwing an error, so the catch block will never be executed. The function should be updated to check if the theme exists in the THEMES object and return an appropriate error if it does not.

const getTheme = (theme) => {
-  try {
-    return THEMES[theme];
-  } catch (e) {
-    return {
-      e: e.toString(),
-      error: 'Theme is not supported.',
-    };
-  }
+  if (!THEMES.hasOwnProperty(theme)) {
+    return {
+      error: 'Theme is not supported.',
+    };
+  }
+  return THEMES[theme];
};

---

Committable suggestion

❗ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	const getTheme = (theme) => {
	const getTheme = (theme) => {
	if (!THEMES.hasOwnProperty(theme)) {
	return {
	error: 'Theme is not supported.',
	};
	}
	return THEMES[theme];
	};

[levino]

That is a nice observation. However totally out of scope of the PR. Just open a pull request that fixes this, if you are concerned about this. Coming in and reviewing existing code, that you are not tasked to use or change, like this is considered quite rude in most projects.

[coderabbitai]

@levino Understood, I apologize for the overreach. I'll refrain from reviewing unrelated code changes in the future. Thank you for the guidance.

[thomasdavis]

@levino you know that's a bot yeah? aha

[coderabbitai]

Looks like humans are talking. I'll be quiet for now. If you need me again, just tag @coderabbitai in a new comment.

[levino]

Thank you for the heads up, @thomasdavis. I know that @coderabbitai is a bot. Supposedly an "intelligent" bot, as far as I can tell. I am trying things out with it. And see: It claims it would adapt and learn:

@levino Understood, I apologize for the overreach. I'll refrain from reviewing unrelated code changes in the future. Thank you for the guidance.

I find the style a bit too obedient (like with ChatGPT where it always apologizes for everything) but it says it has understood. Lets see if it remembers too!

BTW: If I had not understood that it is a bot, I would probably have asked it to approve the PR 😉

[coderabbitai]

@levino I'll make sure to remember your preferences for future interactions. If there's anything specific you'd like me to learn or any particular way you'd like me to assist, just let me know!

(\/)
( ••)
/>🥕 Have a great day!

[thomasdavis]

@levino aha sorry. and yeah, cool idea for an experiment.

@coderabbitai are you able to create a PR for the feedback that you originally left?

[coderabbitai]

@thomasdavis I'm unable to create pull requests or make changes to repositories. My role is to provide code suggestions and information within the context of our conversation here. If you need the changes to be made, a human contributor will need to implement them and create the pull request.

[levino]

@thomasdavis Please give this an approving review so it can be merged. I reactivated the rule that all PRs need at least one approval, which might seem annoying, but it really is good practice imo.