Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump foundation-sites from 5.5.2 to 6.7.5 #11314

Closed
wants to merge 1 commit into from
Closed

chore(deps): bump foundation-sites from 5.5.2 to 6.7.5 #11314

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 1, 2023
edited

Bumps foundation-sites from 5.5.2 to 6.7.5.

Release notes

Sourced from foundation-sites's releases.

Foundation for Sites v6.7.5

Join us on our Discussions Board. This is a great place to ask questions and interact with your fellow Foundation users.

What's Changed

New Contributors

Full Changelog: foundation/foundation-sites@v6.7.4...v6.7.5

Foundation for Sites v6.7.4

Join us on our Discussions Board. This is a great place to ask questions and interact with your fellow Foundation users.

Check out the details of this release below:

Featured Enhancements

  • 🚀 Outlines on focus will be removed when what-intent detects you are using a mouse of touch.
  • 🚀 When an element is set to draggable=false, callouts and force touch on iOS are also suppressed.
  • 🚀 New Visibility classes for dark mode, IE10+, and sticky
    • show-for-dark-mode
    • hide-for-dark-mode
    • show-for-ie
    • hide-for-ie
    • show-for-sticky
    • hide-for-sticky
  • 🚀 Slider now uses grab based cursors for the handle

... (truncated)

Commits
  • f3267f2 Merge branch 'release/v6.7.5'
  • fc7065c build: 6.7.5 dist build
  • 794bc76 build: cleanup dist before deploy
  • dfe2196 chore: update version string
  • f56b26e docs: remove some more ZURB
  • 33e3c57 chore: update caniuse
  • 140132e docs: remove bower from install tips
  • 7c5c44f docs: fixed homepage
  • e6ed962 fix: updated sass map syntax
  • b646833 docs: remove foundation-cli from docs
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by joeworkman, a new releaser for foundation-sites since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies javascript Pull requests that update Javascript code labels Aug 1, 2023
@mkllnk
Copy link
Member

mkllnk commented Aug 2, 2023

@jibees Do you know what we use this for?

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/foundation-sites-6.7.5 branch from 794e370 to dd1a81d Compare August 3, 2023 23:22
@dependabot
chore(deps): bump foundation-sites from 5.5.2 to 6.7.5
1891a8c 
Bumps [foundation-sites](https://github.com/foundation/foundation-sites) from 5.5.2 to 6.7.5.
- [Release notes](https://github.com/foundation/foundation-sites/releases)
- [Commits](foundation/foundation-sites@v5.5.2...v6.7.5)

---
updated-dependencies:
- dependency-name: foundation-sites
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/foundation-sites-6.7.5 branch from dd1a81d to 1891a8c Compare August 7, 2023 01:47
@dacook dacook self-requested a review August 8, 2023 03:56
@dacook
Copy link
Member

dacook commented Aug 8, 2023

I tried removing it and found that we're using JS and SCSS for features such as "topbar" and "panel", and probably more.

This is a major upgrade. In fact, I've found that Foundation never provided a migration path from v5 -> v6, and it doesn't sound easy according to this post:

Upgrading from Foundation 5 to latest Foundation 6 involves a full website rebuild from a new website Template, because much of the HTML code is a bit different. No it is not difficult, but yes, there is a fair amount of work in making the transition. However, the numerous improvements are worth it.

So.. we'd need to plan to remove/upgrade/replace it. Or can we do nothing? Given that this includes Javascript, and it's a common library, it's possible that we could become a target for any vulnerabilities. Looks like there are two known: https://security.snyk.io/package/npm/foundation-sites

Severity Vulnerability Versions
M Cross-site Scripting (XSS) <6.0.0
M Cross-site Scripting (XSS) <5.5.3

So we could at least fix one of them by upgrading to v5.5.3, the last before v6. I'll see if that one's easy at least.

@dacook dacook self-assigned this Aug 8, 2023
@dacook
Copy link
Member

dacook commented Aug 8, 2023

v5.5.3 looks like an easy upgrade.

But what to do about the existing vulnerability?
I took a look and it's actually the same vulnerability, which wasn't fully fixed in v5.5.3 🤦

Ok, so does it actually affect us? I don't think so. Introduced in this commit, we can see it's inside the caption JS function that operates on any <img data-caption=""> elements. Curiously, I can't find the text "caption" in our codebase anywhere.

So if we're not affected, can we stay on v5.5.2 for now? I think so. Sound ok to you @mkllnk ?

@dacook dacook mentioned this pull request Aug 8, 2023
Merged
@mkllnk
Copy link
Member

mkllnk commented Aug 9, 2023

can we stay on v5.5.2 for now?

Sure. Let's just keep it as is. We will replace it one day...

@mkllnk mkllnk closed this Aug 9, 2023
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Aug 9, 2023

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/foundation-sites-6.7.5 branch August 9, 2023 01:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dacook dacook Awaiting requested review from dacook

Assignees

@dacook dacook

Labels
dependencies javascript Pull requests that update Javascript code
Projects
OFN Delivery board
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mkllnk @dacook