[Report] Website Security & Quality Findings

[eddie-knight]

Situation

Maintainers have access to view the Security and quality tab on GitHub. Currently there are 200+ findings related to npm code, likely due to the large volume of AI-generated code currently in the website directory. The curse of rapid progress.

Risk

While this is not a threat to our catalog-users, it may be a reputational risk for the project if any of these issues can result in a compromise of the website. There is additional reputational risk associated with the perception of an apparently insecure asset produced by the project (even logging this issue is adding to that particular risk).

Due to the high volume of reports, I haven't managed to assess the actual risk beyond "something bad might be hiding in these alerts."

Proposed Mitigation

As we are improving the website, it would be prudent to (1) reduce the size of the codebase and (2) assess the overall security posture.

Because alerts in this tool do not always self-clear in all scenarios, this may involve clearing and re-triggering the alerts to determine the latest posture.

[gbalysevaite]

A lot of these are transitive dependencies from docusaurus 1.14.7 which is the last v1 version which is inactive/discontinued. We could update to a non-vulnerable active v3 version, but it would require to do the v1 -> v2, then v2 -> v3 migration (v2 is end-of-life too).

However, me and @sshiells-scottlogic discussed that we would like to move away from docusaurus in stage 2 (after the OSFF London) and as there's no threat to our catalog users, I'd suggest to re-review this later.