Skip to:
Content

BuddyPress.org

Opened 11 months ago

Closed 6 months ago

Last modified 6 months ago

#8154 closed defect (bug) (fixed)

Fix node modules vulnerabilities

Reported by: imath Owned by: imath
Milestone: 6.0.0 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: needs-patch
Cc:

Description

Just did npm install and got :

found 51 vulnerabilities (23 low, 13 moderate, 15 high)

I think it would be great to have this fixed asap.

Attachments (2)

8154.patch (152.6 KB) - added by imath 8 months ago.
8154.2.patch (25.7 KB) - added by imath 6 months ago.

Download all attachments as: .zip

Change History (15)

@imath
8 months ago

#1 @imath
8 months ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

Hi @netweb could you check 8154.patch ? It fixes a majority of the vulnerabilities without adding too much work (updating stylelint is generating way too much errors in css/scss files).

Using phplint module instead of grunt-phplint (not updated for 3 years!!) is fixing all high and major vulnerabilities!

#2 @espellcaste
7 months ago

@imath Do you think it is better to postpone this ticket to the next release? A set of eyes from @netweb would be invaluable.

#3 @imath
7 months ago

You're probably right, but I'd really like to have this ticket fixed. It's very annoying to have these vulnerabilities. I'll wait until the last minute but will commit it the way it is before 6.0.0 release if we don't have feedbacks about it.

#4 @imath
6 months ago

Just had a look, there are 9 high node vulnerabilities in grunt-contrib-imagemin from the version we currently use to latest (v3.1.0) https://github.com/gruntjs/grunt-contrib-imagemin/issues/391

Last edited 6 months ago by imath (previous) (diff)

#5 @imath
6 months ago

In 12573:

Add node modules to have tools to compile & bundle modern JavaScript

  1. Add Parcel and Babel

Parcel is a web application bundler used to watch and build BP Blocks and BP Block components. It is associated with Babel, a toolchain that is mainly used to convert ECMAScript 2015+ code into a backwards compatible version of JavaScript in current and older browsers or environments.

  1. Add the default Babel preset for WordPress development.
  1. Remove our development dependency to grunt-wp-i18n as we will use from now on WP CLI to generate a pot file that is also taking in account JavaScript i18n strings.
  1. Add the needed Parcel commands to prepare BP Blocks compiling tasks.
  1. Update Grunt.js to latest stable.

NB: contributors, please use npm install to update your node modules locally.

See #8048
See #8154

#6 @imath
6 months ago

In 12582:

Build tools: update CSS/SCSS linting node modules

  • Update stylelint, grunt-stylelint, stylelint-config-wordpress to latest stable version.
  • Add a specific stylelint config for BuddyPress.
  • Lint some CSS/SCSS files.

PS: let's hope it will fix the Travis CI failing test!

See #8154
See #8048

#7 @imath
6 months ago

In 12583:

Build tools: update some other node modules

  • Update grunt-contrib-imagemin and matchdep to latest stable
  • Replace grunt-phplint by phplint
  • Downgrade grunt-stylelint to 0.12.0 as 0.14.0 requires a higher version of stylelint than the one we are using.

See #8154

#8 @imath
6 months ago

  • Keywords needs-patch added; has-patch 2nd-opinion removed
  • Milestone changed from 6.0.0 to Up Next

grunt-contrib-imagemin has not fixed the vulnerability yet. So let's finish this during next release.

#9 @imath
6 months ago

In 12585:

Update image sizes now the imagemin node module has been upgraded

See #8154

#10 @imath
6 months ago

  • Milestone changed from Up Next to 6.0.0
  • Owner changed from netweb to imath
  • Status changed from new to assigned

grunt-contrib-imagemin has fixed the issue 4 days ago. Let's fix it in 6.0.0.

@imath
6 months ago

#11 @imath
6 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 12610:

Build tools: update grunt-contrib-imagemin to 3.1.0

There is now 1 low node module vulnerability remaining.

Fixes #8154

#12 @r-a-y
6 months ago

I just ran npm install and I'm getting the following:

found 24 vulnerabilities (15 low, 9 high) in 20754 scanned packages        
  run `npm audit fix` to fix 23 of them.                                   
  1 vulnerability requires manual review. See the full report for details.

Let me know if you want me to post the full npm audit log.


Update - I was behind by a few commits. Just rebased and everything is good! Apologies imath!

Last edited 6 months ago by r-a-y (previous) (diff)

#13 @imath
6 months ago

No problem @r-a-y ;)

Note: See TracTickets for help on using tickets.