Skip to content

Commit 21f587a

Browse files
paubypauby
authored
Merge pull request #1107 from AdmiringWorm/cpmr0076
(docs) Add documentation for new rule CPMR0076
2 parents 7dbc747 + 255b5aa commit 21f587a

File tree

2 files changed

+41
-0
lines changed

2 files changed

+41
-0
lines changed

src/components/docs/PackageValidatorNotImplemented.mdx

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
---
2+
3+
---
4+
import Callout from '@choco/components/Callout.astro';
5+
import Iframe from '@choco/components/Iframe.astro';
6+
import Xref from '@components/Xref.astro';
7+
8+
<Callout type="warning">
9+
This rule has not been implemented in Package Validator, and is only available in the Chocolatey Community Validation extension.
10+
11+
Once it has been implemented in Package Validator, the severity or behavior may be changed in the Chocolatey Community Validation extension.
12+
</Callout>

src/content/docs/en-us/community-repository/moderation/package-validator/rules/cpmr0076.mdx

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
---
2+
order: 76
3+
xref: cpmr0076
4+
title: CPMR0076 - Raw GitHub Icon URL Is Used (nuspec)
5+
description: Information on how to remediate the Chocolatey Package Moderation Rule 0076
6+
ruleType: Requirement
7+
---
8+
import Callout from '@choco/components/Callout.astro'
9+
import Iframe from '@choco/components/Iframe.astro';
10+
import Xref from '@components/Xref.astro';
11+
import PackageValidatorRuleRequirement from '@components/docs/PackageValidatorRuleRequirement.mdx';
12+
import PackageValidatorNotImplemented from '@components/docs/PackageValidatorNotImplemented.mdx';
13+
14+
<PackageValidatorRuleRequirement />
15+
<PackageValidatorNotImplemented />
16+
17+
## Issue
18+
19+
In the nuspec, the Icon URL has been specified as coming from GitHub or RawGit.
20+
21+
## Recommended Solution
22+
23+
Please update the Icon URL to use an Icon that is coming from a proper CDN instead of GitHub or RawGit.
24+
There are CDN providers for GitHub links that can be used, like [JSDelivr](https://www.jsdelivr.com/) and [Statically](https://statically.io/).
25+
26+
## Reasoning
27+
28+
GitHub has made it clear that hotlinking to _raw_ files on GitHub should be avoided, as these are not static assets, and RawGit has shut down.
29+
See the [GitHub Blog](https://github.blog/2013-04-24-heads-up-nosniff-header-support-coming-to-chrome-and-firefox/) for more information.

0 commit comments

Comments
 (0)