Set specific version of Algolia docsearch, set SRI

[colindean]

I was about to drop the SRI attributes, but then noticed that jsdelivr had some warnings:

• Skipped minification because the original files appear to be already minified.
• Original file: /npm/@docsearch/[email protected]/dist/umd/index.js
• Do NOT use SRI with dynamically generated files! More information: https://www.jsdelivr.com/using-sri-with-dynamic-files

So, to heed these warnings, I decided it was best to pin to a particular version of docsearch and use the pre-minified index.js to avoid dynamic modification.

Work toward #973

[colindean]

The one downside to this is getting the security benefits but losing the automatic update of the docsearch library...

And docsearch/js is updated ~monthly: https://www.npmjs.com/package/@docsearch/js?activeTab=versions

[Bo98]

At the very least, the version should be linked to the stylesheet above.

We probably also want a workflow that auto-updates this, with perhaps notices pointing maintainers to test locally in the event of major version bumps.

[SMillerDev]

We could add a package.json and fail the build if the versions don't match

[MikeMcQuaid]

We probably also want a workflow that auto-updates this, with perhaps notices pointing maintainers to test locally in the event of major version bumps.

Agreed. It feels like we're going to have to lean into Dependabot if we do this.

Not convinced the lack of SRI is a bigger security problem than sitting on older versions indefinitely.

[colindean]

Upstream docsearch project has an open request for an SRI strategy: algolia/docsearch#1561

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[colindean]

I posted about a potential solution in algolia/docsearch#1561 (comment). It's extra but it'd solve the problem if falling behind docsearch versions is a bad thing.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[colindean]

If the build-time SRI generation is acceptable, I can move forward with that.

[MikeMcQuaid]

If the build-time SRI generation is acceptable, I can move forward with that.

@colindean Can you detail more what this looks like?

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[colindean]

See algolia/docsearch#1561 (comment), but briefly, it's this at jekyll build time:

1. retrieve the latest version of the library from the NPM registry API
2. retrieve the content of jsdelivr's cache at that version and get the SRI hash
3. include the output of that in my generated script tag.

This would safen the resource, creating only a threat vector at site build time.

This also creates a build time dependency on the NPM API and jsdelivr.net, but if these are inaccessible, the build could fall back to using the latest version URL and not specifying an SRI.

[MikeMcQuaid]

Closing this out for now but happy to review a new PR when that approach is done.