Resolution of Dependabot alerts - avsitter.github.io not updating

[codeviolet]

I've noticed that http://avsitter.github.io seems to have stopped auto-updating to reflect changes made to the pages in the AVsitter documentation repository. I assume it's because of the "Dependabot alerts" seen when I log in: https://github.com/AVsitter/avsitter.github.io/security/dependabot which seem to indicate we need to update some dependencies.

I'm making this issue as I am not sure how to solve the issues and get the documentation pages auto-updating again. Hoping that Sei will take this up if familiar with resolving the conflicts, otherwise I will look at it in more detail when I get a chance.

[Sei-Lisa]

Apologies, I've had trouble with email and didn't notice the last bunch of updates. Hopefully that's fixed now. By design, avsitter.github.io is building from the `master` branch, but I changed the default branch to `devel`, and that is where pull requests go. The purpose of the change is to hold the documentation for the new version until it is released; this prevents confusing users with new features that are not yet present in the version from Marketplace. Part of the release process will then be to merge `devel` into `master` in this repository, so that the new version changes become visible. In the case of #52, since it applies to all versions, I've cherry-picked it on `master` and pushed; the change is now effective. As for Dependabot, I review the proposed changes and whether the security fixes affect us. I don't upgrade if they aren't necessary. It's unusual that one of the fixes may affect us (unless it's something like a cross-site scripting vulnerability) because the build process happens in a virtual machine that can't be affected externally, and once built, the pages are just static HTML and JS with no server-side software running on the GitHub servers. Rather than updating blindly and taking the risk of breaking the existing site, I prefer to hold things as they are while possible.

[Sei-Lisa]

The latest update was unnecessary: https://nvd.nist.gov/vuln/detail/CVE-2021-32740 "a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input [...]" `addressable` is part of the building process, and since all additions to the repository come from trusted user input (reviewed via pull requests), we fall under "typical usage" and the update doesn't apply to this case. Since `devel` is not built by default, it's still unknown whether the change will affect the build. Since I'm not sure of the implications, to be on the safe side I've reverted the change. Dependabot will probably complain again.