repo sync

Octomerger · web-flow · commit 1edd1ebd0603 · 2020-12-02T09:03:31.000-08:00
diff --git a/content/actions/guides/publishing-nodejs-packages.md b/content/actions/guides/publishing-nodejs-packages.md
@@ -8,8 +8,6 @@ redirect_from:
 versions:
   free-pro-team: '*'
   enterprise-server: '>=2.22'
-authors:
-  - GitHub
 ---
 
 {% data reusables.actions.enterprise-beta %}
diff --git a/content/actions/guides/setting-up-continuous-integration-using-workflow-templates.md b/content/actions/guides/setting-up-continuous-integration-using-workflow-templates.md
@@ -11,8 +11,6 @@ redirect_from:
 versions:
   free-pro-team: '*'
   enterprise-server: '>=2.22'
-authors:
-  - GitHub
 ---
 
 {% data reusables.actions.enterprise-beta %}
diff --git a/content/actions/reference/workflow-syntax-for-github-actions.md b/content/actions/reference/workflow-syntax-for-github-actions.md
@@ -958,7 +958,6 @@ The Docker image to use as the container to run the action. The value can be the
 
 ### `jobs.<job_id>.container.credentials`
 
-
 {% data reusables.actions.registry-credentials %}
 
 #### Example
diff --git a/includes/guide-card.html b/includes/guide-card.html
@@ -1,37 +1,40 @@
-{% assign authorsString = guide.page.authors | join: ", @" %}
+{% if guide.page.authors %}
+  {% assign authors = guide.page.authors %}
+{% else %}
+  {% assign authors = 'GitHub' | split: ' ' %}
+{% endif %}
+{% assign authorsString = authors | join: ", @" %}
 
 <div class="col-lg-4 col-12 mb-3">
   <a class="Box box-shadow-medium height-full d-block hover-shadow-large no-underline text-gray-dark p-5" href="{{ guide.href }}">
     <h2>{{ guide.title }}</h2>
     <p class="mt-2 mb-4 text-gray-light">{{ guide.intro }}</p>
 
-    {% if guide.page.authors and guide.page.authors.length > 0 %}
-      <footer class="d-flex">
-        <div class="mr-1">
-          {% if guide.page.authors.length == 1 %}
-            <img class="avatar avatar-2 circle mr-1" src="https://github.com/{{ guide.page.authors[0] }}.png" alt="@{{ guide.page.authors[0] }}" />
-          {% else %}
-            <div class="AvatarStack AvatarStack--three-plus">
-              <div
-                class="AvatarStack-body tooltipped tooltipped-se tooltipped-align-left-1"
-                aria-label="@{{ authorsString }}"
-              >
-                {% for author in guide.page.authors %}
-                  <img
-                    class="avatar circle"
-                    alt="@{{ author }}"
-                    src="https://github.com/{{ author }}.png"
-                  />
-                {% endfor %}
-              </div>
+    <footer class="d-flex">
+      <div class="mr-1">
+        {% if authors.length == 1 %}
+          <img class="avatar avatar-2 circle mr-1" src="https://github.com/{{ authors[0] }}.png" alt="@{{ authors[0] }}" />
+        {% else %}
+          <div class="AvatarStack AvatarStack--three-plus">
+            <div
+              class="AvatarStack-body tooltipped tooltipped-se tooltipped-align-left-1"
+              aria-label="@{{ authorsString }}"
+            >
+              {% for author in authors %}
+                <img
+                  class="avatar circle"
+                  alt="@{{ author }}"
+                  src="https://github.com/{{ author }}.png"
+                />
+              {% endfor %}
             </div>
-          {% endif %}
-        </div>
+          </div>
+        {% endif %}
+      </div>
 
-        <div>
-          @{{ authorsString }}
-        </div>
-      </footer>
-    {% endif %}
+      <div>
+        @{{ authorsString }}
+      </div>
+    </footer>
   </a>
 </div>
diff --git a/javascripts/fake-hogan.js b/javascripts/fake-hogan.js
@@ -0,0 +1,15 @@
+// This module overrides "Hogan" that instantsearch.js uses
+// Hogan uses `new Function`,
+// so we can't use it with our content security policy.
+// Turns out, we use all our own templates anyway,
+// so we just have to shim out Hogan so it doesn't error!
+
+export default {
+  compile (template) {
+    return {
+      render (data) {
+        return ''
+      }
+    }
+  }
+}
diff --git a/middleware/csp.js b/middleware/csp.js
@@ -30,9 +30,7 @@ module.exports = contentSecurityPolicy({
     ],
     scriptSrc: [
       "'self'",
-      'data:',
-      "'unsafe-eval'", // exception for Algolia instantsearch
-      "'unsafe-inline'"
+      'data:'
     ],
     frameSrc: [ // exceptions for GraphQL Explorer
       'https://graphql-explorer.githubapp.com', // production env
diff --git a/tests/rendering/server.js b/tests/rendering/server.js
@@ -53,8 +53,6 @@ describe('server', () => {
     expect(csp.get('img-src').includes('octodex.github.com')).toBe(true)
 
     expect(csp.get('script-src').includes("'self'")).toBe(true)
-    expect(csp.get('script-src').includes("'unsafe-eval'")).toBe(true) // exception for Algolia instantsearch
-    expect(csp.get('script-src').includes("'unsafe-inline'")).toBe(true)
 
     expect(csp.get('style-src').includes("'self'")).toBe(true)
     expect(csp.get('style-src').includes("'unsafe-inline'")).toBe(true)
diff --git a/webpack.config.js b/webpack.config.js
@@ -4,6 +4,7 @@ const CopyWebpackPlugin = require('copy-webpack-plugin')
 const { EnvironmentPlugin } = require('webpack')
 
 module.exports = {
+  devtool: 'source-map', // this prevents webpack from using eval
   entry: './javascripts/index.js',
   output: {
     filename: 'index.js',
@@ -70,5 +71,12 @@ module.exports = {
       ]
     }),
     new EnvironmentPlugin(['NODE_ENV'])
-  ]
+  ],
+  resolve: {
+    alias: {
+      // Hogan uses `new Function` which breaks content security policy
+      // Turns out, we aren't even using it anyways!
+      'hogan.js': path.resolve(__dirname, 'javascripts/fake-hogan.js')
+    }
+  }
 }
