Skip to:

Opened 21 months ago

Closed 16 months ago

Last modified 16 months ago

#8154 closed defect (bug) (fixed)

Fix node modules vulnerabilities

Reported by: imath Owned by: imath
Milestone: 6.0.0 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: needs-patch


Just did npm install and got :

found 51 vulnerabilities (23 low, 13 moderate, 15 high)

I think it would be great to have this fixed asap.

Attachments (2)

8154.patch (152.6 KB) - added by imath 19 months ago.
8154.2.patch (25.7 KB) - added by imath 16 months ago.

Download all attachments as: .zip

Change History (15)

19 months ago

#1 @imath
19 months ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

Hi @netweb could you check 8154.patch ? It fixes a majority of the vulnerabilities without adding too much work (updating stylelint is generating way too much errors in css/scss files).

Using phplint module instead of grunt-phplint (not updated for 3 years!!) is fixing all high and major vulnerabilities!

#2 @espellcaste
17 months ago

@imath Do you think it is better to postpone this ticket to the next release? A set of eyes from @netweb would be invaluable.

#3 @imath
17 months ago

You're probably right, but I'd really like to have this ticket fixed. It's very annoying to have these vulnerabilities. I'll wait until the last minute but will commit it the way it is before 6.0.0 release if we don't have feedbacks about it.

#4 @imath
17 months ago

Just had a look, there are 9 high node vulnerabilities in grunt-contrib-imagemin from the version we currently use to latest (v3.1.0)

Last edited 17 months ago by imath (previous) (diff)

#5 @imath
17 months ago

In 12573:

Add node modules to have tools to compile & bundle modern JavaScript

  1. Add Parcel and Babel

Parcel is a web application bundler used to watch and build BP Blocks and BP Block components. It is associated with Babel, a toolchain that is mainly used to convert ECMAScript 2015+ code into a backwards compatible version of JavaScript in current and older browsers or environments.

  1. Add the default Babel preset for WordPress development.
  1. Remove our development dependency to grunt-wp-i18n as we will use from now on WP CLI to generate a pot file that is also taking in account JavaScript i18n strings.
  1. Add the needed Parcel commands to prepare BP Blocks compiling tasks.
  1. Update Grunt.js to latest stable.

NB: contributors, please use npm install to update your node modules locally.

See #8048
See #8154

#6 @imath
17 months ago

In 12582:

Build tools: update CSS/SCSS linting node modules

  • Update stylelint, grunt-stylelint, stylelint-config-wordpress to latest stable version.
  • Add a specific stylelint config for BuddyPress.
  • Lint some CSS/SCSS files.

PS: let's hope it will fix the Travis CI failing test!

See #8154
See #8048

#7 @imath
17 months ago

In 12583:

Build tools: update some other node modules

  • Update grunt-contrib-imagemin and matchdep to latest stable
  • Replace grunt-phplint by phplint
  • Downgrade grunt-stylelint to 0.12.0 as 0.14.0 requires a higher version of stylelint than the one we are using.

See #8154

#8 @imath
17 months ago

  • Keywords needs-patch added; has-patch 2nd-opinion removed
  • Milestone changed from 6.0.0 to Up Next

grunt-contrib-imagemin has not fixed the vulnerability yet. So let's finish this during next release.

#9 @imath
16 months ago

In 12585:

Update image sizes now the imagemin node module has been upgraded

See #8154

#10 @imath
16 months ago

  • Milestone changed from Up Next to 6.0.0
  • Owner changed from netweb to imath
  • Status changed from new to assigned

grunt-contrib-imagemin has fixed the issue 4 days ago. Let's fix it in 6.0.0.

16 months ago

#11 @imath
16 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 12610:

Build tools: update grunt-contrib-imagemin to 3.1.0

There is now 1 low node module vulnerability remaining.

Fixes #8154

#12 @r-a-y
16 months ago

I just ran npm install and I'm getting the following:

found 24 vulnerabilities (15 low, 9 high) in 20754 scanned packages        
  run `npm audit fix` to fix 23 of them.                                   
  1 vulnerability requires manual review. See the full report for details.

Let me know if you want me to post the full npm audit log.

Update - I was behind by a few commits. Just rebased and everything is good! Apologies imath!

Last edited 16 months ago by r-a-y (previous) (diff)

#13 @imath
16 months ago

No problem @r-a-y ;)

Note: See TracTickets for help on using tickets.