Merge branch 'main' into css-linting

UlisesGascon · web-flow · commit 3b5859fa1644 · 2025-11-14T21:57:37.000+01:00
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -0,0 +1,18 @@
+name: Lint website and markdown files
+
+on: [push, pull_request]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: scorecards-site
+
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 #v5
+        with:
+          node-version: 22
+      - run: yarn install --frozen-lockfile
+      - run: yarn lint
diff --git a/README.md b/README.md
@@ -13,7 +13,8 @@ The site is deployed on Netlify and the deployment configuration is in
 [netlify.toml](./netlify.toml). Any changes committed to
 [netlify.toml](./netlify.toml) and [scorecards-site/](./scorecards-site) on
 `main` branch gets automatically deployed to production. So please make sure to
-review deploy previews when making changes to the site.
+review deploy previews when making changes to the site. The documentation for 
+local development can be found [here](/scorecards-site/README.md)
 
 The API uses [OpenAPI](https://www.openapis.org/) spec and
 [go-swagger](https://goswagger.io/) to auto-generate server and client code. Any
diff --git a/scorecards-site/README.md b/scorecards-site/README.md
@@ -2,9 +2,9 @@
 
 ## Pre-requisites
 
-*   [NVM](https://github.com/nvm-sh/nvm)
-*   NPM
-*   [Yarn](https://classic.yarnpkg.com/lang/en/docs/install/)
+- [NVM](https://github.com/nvm-sh/nvm)
+- NPM
+- [Yarn](https://classic.yarnpkg.com/lang/en/docs/install/)
 
 ## Build Setup
 
diff --git a/scorecards-site/components/CommitData.vue b/scorecards-site/components/CommitData.vue
@@ -11,7 +11,10 @@
 export default {
   name: 'Test',
   props: {
-    latestCommit: null,
+    latestCommit: {
+      type: String,
+      default: '',
+    },
   },
   data() {
     return {}
diff --git a/scorecards-site/components/RepoButton.vue b/scorecards-site/components/RepoButton.vue
@@ -16,8 +16,14 @@ export default {
     GithubRepoIcon,
   },
   props: {
-    commits: null,
-    stars: null,
+    commits: {
+      type: Number,
+      default: 0,
+    },
+    stars: {
+      type: Number,
+      default: 0,
+    },
   },
   data() {
     return {
diff --git a/scorecards-site/components/global/CodeGroup.vue b/scorecards-site/components/global/CodeGroup.vue
@@ -47,7 +47,6 @@ export default {
   },
   methods: {
     changeCodeTab(index) {
-      console.log(index)
       this.activeCodeTabIndex = index
     },
     loadTabs() {
@@ -74,7 +73,11 @@ export default {
           tab.elm.classList.remove('theme-code-block__active')
         }
       })
-      if (this.codeTabs[index] && this.codeTabs[index].elm && this.codeTabs[index].elm.classList) {
+      if (
+        this.codeTabs[index] &&
+        this.codeTabs[index].elm &&
+        this.codeTabs[index].elm.classList
+      ) {
         this.codeTabs[index].elm.classList.add('theme-code-block__active')
       }
     },
diff --git a/scorecards-site/content/home.md b/scorecards-site/content/home.md
@@ -131,7 +131,7 @@ Scorecard also has standalone binaries and other platforms troubleshooting and c
 
 <h2 class="h1" id="learn-more">Learn more</h2>
 
-> We rely on Security Scorecards *[i.e., OpenSSF Scorecard]* to ensure we follow secure development best practices.
+> We rely on Security Scorecards _[i.e., OpenSSF Scorecard]_ to ensure we follow secure development best practices.
 
 <div class="text-right"><cite>Appu Goundan, <a href="https://github.com/GoogleContainerTools/distroless">Distroless</a></cite></div>
 
@@ -141,7 +141,7 @@ By some estimates\* 84% of all codebases have at least one vulnerability, with a
 
 Even in large tech companies, the tedious process of reviewing code for vulnerabilities falls down the priority list, and there is little insight into known vulnerabilities and solutions that companies can draw on.
 
-That’s where Security Scorecards *[i.e., OpenSSF Scorecard]* is helping. Its focus is to understand the security posture of a project and assess the risks that dependencies introduce.
+That’s where Security Scorecards _[i.e., OpenSSF Scorecard]_ is helping. Its focus is to understand the security posture of a project and assess the risks that dependencies introduce.
 
 \*[Open Source Security and Risk Analysis Report](https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html?intcmp=sig-blog-ossra1) (Synopsys, 2021)
 
@@ -231,45 +231,45 @@ You can learn more about the scoring criteria, risks, and remediation suggestion
 #### Holistic security practises
 
 | Code vulnerabilities                                                                          | Description                                                                              | Risk |
-|-----------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|------|
+| --------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | ---- |
 | [Vulnerabilities](https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities) | Does the project have unfixed vulnerabilities? Uses the [OSV service](https://osv.dev/). | High |
 
 | Maintenance                                                                                                 | Description                                                                                                                                                                                                                                                                                          | Risk   |
-|-------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|
+| ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
 | [Dependency Update Tool](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool) | Does the project use tools to help update its dependencies e.g. [Dependabot](https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates), [RenovateBot](https://github.com/renovatebot/renovate)? | High   |
 | [Maintained](https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained)                         | Is the project maintained?                                                                                                                                                                                                                                                                           | High   |
 | [Security Policy](https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy)               | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)?                                                                                                                  | Medium |
 | [Licence](https://github.com/ossf/scorecard/blob/main/docs/checks.md#license)                               | Does the project declare a licence?                                                                                                                                                                                                                                                                  | Low    |
 | [CII Best Practices](https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices)         | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)?                                                                                                                                                                                                 | Low    |
 
 | Continuous testing                                                              | Description                                                                                                                                                                                                                                                                                                                    | Risk   |
-|---------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|
+| ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------ |
 | [CI Tests](https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests) | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)?                                                                                                                                           | Low    |
 | [Fuzzing](https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing)   | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)?                                                                                                                                                                                                                                       | Medium |
 | [SAST](https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast)         | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [LGTM](https://lgtm.com/), [SonarCloud](https://sonarcloud.io/)? | Medium |
 
 #### Source risk assessment
 
 | Name                                                                                                | Description                                                                                                                                           | Risk     |
-|-----------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
+| --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
 | [Binary Artifacts](https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts)     | Is the project free of checked-in binaries?                                                                                                           | High     |
 | [Branch Protection](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection)   | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches)? | High     |
 | [Dangerous Workflow](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) | Does the project avoid dangerous coding patterns in GitHub Actions?                                                                                   | Critical |
 | [Code Review](https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review)               | Does the project require code review before code is merged?                                                                                           | High     |
-| [Contributors](https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors)             | Does the project have contributors from multiple organizations?                                                                         | Low      |
+| [Contributors](https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors)             | Does the project have contributors from multiple organizations?                                                                                       | Low      |
 
 #### Build risk assessment
 
 | Name                                                                                                  | Description                                                                                                                                                                                                                      | Risk   |
-|-------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|
+| ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
 | [Pinned Dependencies](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) | Does the project declare and pin [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)?                         | Medium |
 | [Token Permissions](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions)     | Does the project declare GitHub workflow tokens as [read only](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)?                                                                                       | High   |
 | [Packaging](https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging)                     | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages)? | Medium |
 | [Signed Releases](https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases)         | Does the project [cryptographically sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)?                                                                                                               | High   |
 
 <br/>
 
-> Machine checkable properties are an essential part of a sound security process. That’s why we have incorporated Security Scorecards *[i.e., OpenSSF Scorecard]* into our dependency acceptance criteria.
+> Machine checkable properties are an essential part of a sound security process. That’s why we have incorporated Security Scorecards _[i.e., OpenSSF Scorecard]_ into our dependency acceptance criteria.
 
 <div class="text-right mb-60"><cite>Harvey Tuch, <a href="https://www.envoyproxy.io/">Envoy</a></cite></div>
 
diff --git a/scorecards-site/modules/Footer/Footer.vue b/scorecards-site/modules/Footer/Footer.vue
@@ -14,7 +14,8 @@
       <div class="text-14 mb-12">
         Copyright © OpenSSF Scorecard a Series of LF Projects, LLC
         <br />
-        For website terms of use, trademark policy, and other project policies, please see <a href="https://lfprojects.org">https://lfprojects.org</a>.
+        For website terms of use, trademark policy, and other project policies,
+        please see <a href="https://lfprojects.org">https://lfprojects.org</a>.
       </div>
       <div class="text-14">
         <strong>Privacy statement: </strong> We use
diff --git a/scorecards-site/modules/Header/Header.js b/scorecards-site/modules/Header/Header.js
@@ -54,12 +54,35 @@ export default {
         hour12: false,
         timeZone: Intl.DateTimeFormat().resolvedOptions().timeZone,
       }
-      const response = await fetch(this.apiURL)
-      const data = await response.json()
-      const d = data[0].commit.committer.date
-      this.latestCommit = new Intl.DateTimeFormat('en-US', options).format(
-        new Date(d)
-      )
+      try {
+        const response = await fetch(this.apiURL)
+        const data = await response.json()
+
+        // Guard against empty responses or unexpected shapes
+        if (!data || !Array.isArray(data) || data.length === 0) {
+          this.latestCommit = null
+          return
+        }
+
+        const first = data[0]
+        if (
+          !first ||
+          !first.commit ||
+          !first.commit.committer ||
+          !first.commit.committer.date
+        ) {
+          this.latestCommit = null
+          return
+        }
+
+        const d = first.commit.committer.date
+        this.latestCommit = new Intl.DateTimeFormat('en-US', options).format(
+          new Date(d)
+        )
+      } catch (e) {
+        // Network issues or rate limits can cause generate to fail; fail gracefully
+        this.latestCommit = null
+      }
     },
     async getTotalCommits(owner, repo) {
       // TODO: store this is state/cache so we do not have to load every time
diff --git a/scorecards-site/package.json b/scorecards-site/package.json
@@ -10,7 +10,7 @@
     "lint:js": "eslint --ext \".js,.vue\" --ignore-path .gitignore .",
     "lint:prettier": "prettier --check .",
     "lint": "yarn lint:js && yarn lint:prettier",
-    "lintfix": "prettier --write --list-different . && yarn lint:js --fix"
+    "lint:fix": "prettier --write --list-different . && yarn lint:js --fix"
   },
   "lint-staged": {
     "*.{js,vue}": "eslint --cache",
@@ -32,17 +32,14 @@
     "nuxt": "^2.15.8",
     "prismjs": "^1.30.0",
     "rehype-add-classes": "^1.0.0",
-    "retext-emoji": "^8.1.0",
     "sass-loader": "10",
-    "shiki": "^3.12.2",
     "swiper": "6.x",
     "vue": "^2.6.14",
     "vue-awesome-swiper": "^4.1.1",
     "vue-intersect": "^1.1.6",
     "vue-intersect-directive": "^1.1.1",
     "vue-server-renderer": "^2.6.14",
-    "vue-template-compiler": "^2.6.14",
-    "webpack": "^4.46.0"
+    "vue-template-compiler": "^2.6.14"
   },
   "devDependencies": {
     "@babel/eslint-parser": "^7.16.3",
diff --git a/scorecards-site/plugins/components.client.js b/scorecards-site/plugins/components.client.js
@@ -27,13 +27,9 @@ const animateOnScrollObserver = new IntersectionObserver(function (
       //   window.$nuxt.$emit("setActiveToc", id);
       //   console.log(id)
       if (entry.intersectionRatio > 0.1) {
-        document
-          .querySelectorAll(
-            '.nuxt-content-container .nuxt-content h2[id], .nuxt-content-container .nuxt-content h3[id]'
-          )
-          .forEach((el) => {
-            console.log(el)
-          })
+        document.querySelectorAll(
+          '.nuxt-content-container .nuxt-content h2[id], .nuxt-content-container .nuxt-content h3[id]'
+        )
         // entry.target.classList.add('enter')
         // const headerEl = document.querySelector('header')
         // intersection ratio bigger than 90%
diff --git a/scorecards-site/static/viewer/index.html b/scorecards-site/static/viewer/index.html
diff --git a/scorecards-site/yarn.lock b/scorecards-site/yarn.lock
