Skip to:

Opened 5 years ago

Closed 4 years ago

Last modified 4 years ago

#8154 closed defect (bug) (fixed)

Fix node modules vulnerabilities

Reported by: imath's profile imath Owned by: imath's profile imath
Milestone: 6.0.0 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: needs-patch


Just did npm install and got :

found 51 vulnerabilities (23 low, 13 moderate, 15 high)

I think it would be great to have this fixed asap.

Attachments (2)

8154.patch (152.6 KB) - added by imath 4 years ago.
8154.2.patch (25.7 KB) - added by imath 4 years ago.

Download all attachments as: .zip

Change History (15)

4 years ago

#1 @imath
4 years ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

Hi @netweb could you check 8154.patch ? It fixes a majority of the vulnerabilities without adding too much work (updating stylelint is generating way too much errors in css/scss files).

Using phplint module instead of grunt-phplint (not updated for 3 years!!) is fixing all high and major vulnerabilities!

#2 @espellcaste
4 years ago

@imath Do you think it is better to postpone this ticket to the next release? A set of eyes from @netweb would be invaluable.

#3 @imath
4 years ago

You're probably right, but I'd really like to have this ticket fixed. It's very annoying to have these vulnerabilities. I'll wait until the last minute but will commit it the way it is before 6.0.0 release if we don't have feedbacks about it.

#4 @imath
4 years ago

Just had a look, there are 9 high node vulnerabilities in grunt-contrib-imagemin from the version we currently use to latest (v3.1.0)

Last edited 4 years ago by imath (previous) (diff)

#5 @imath
4 years ago

In 12573:

Add node modules to have tools to compile & bundle modern JavaScript

  1. Add Parcel and Babel

Parcel is a web application bundler used to watch and build BP Blocks and BP Block components. It is associated with Babel, a toolchain that is mainly used to convert ECMAScript 2015+ code into a backwards compatible version of JavaScript in current and older browsers or environments.

  1. Add the default Babel preset for WordPress development.
  1. Remove our development dependency to grunt-wp-i18n as we will use from now on WP CLI to generate a pot file that is also taking in account JavaScript i18n strings.
  1. Add the needed Parcel commands to prepare BP Blocks compiling tasks.
  1. Update Grunt.js to latest stable.

NB: contributors, please use npm install to update your node modules locally.

See #8048
See #8154

#6 @imath
4 years ago

In 12582:

Build tools: update CSS/SCSS linting node modules

  • Update stylelint, grunt-stylelint, stylelint-config-wordpress to latest stable version.
  • Add a specific stylelint config for BuddyPress.
  • Lint some CSS/SCSS files.

PS: let's hope it will fix the Travis CI failing test!

See #8154
See #8048

#7 @imath
4 years ago

In 12583:

Build tools: update some other node modules

  • Update grunt-contrib-imagemin and matchdep to latest stable
  • Replace grunt-phplint by phplint
  • Downgrade grunt-stylelint to 0.12.0 as 0.14.0 requires a higher version of stylelint than the one we are using.

See #8154

#8 @imath
4 years ago

  • Keywords needs-patch added; has-patch 2nd-opinion removed
  • Milestone changed from 6.0.0 to Up Next

grunt-contrib-imagemin has not fixed the vulnerability yet. So let's finish this during next release.

#9 @imath
4 years ago

In 12585:

Update image sizes now the imagemin node module has been upgraded

See #8154

#10 @imath
4 years ago

  • Milestone changed from Up Next to 6.0.0
  • Owner changed from netweb to imath
  • Status changed from new to assigned

grunt-contrib-imagemin has fixed the issue 4 days ago. Let's fix it in 6.0.0.

4 years ago

#11 @imath
4 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 12610:

Build tools: update grunt-contrib-imagemin to 3.1.0

There is now 1 low node module vulnerability remaining.

Fixes #8154

#12 @r-a-y
4 years ago

I just ran npm install and I'm getting the following:

found 24 vulnerabilities (15 low, 9 high) in 20754 scanned packages        
  run `npm audit fix` to fix 23 of them.                                   
  1 vulnerability requires manual review. See the full report for details.

Let me know if you want me to post the full npm audit log.

Update - I was behind by a few commits. Just rebased and everything is good! Apologies imath!

Version 1, edited 4 years ago by r-a-y (previous) (next) (diff)

#13 @imath
4 years ago

No problem @r-a-y ;)

Note: See TracTickets for help on using tickets.