Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
@Berdir reported that `npm audit` is complaining about multiple packages we are using are having security issues and we should improve situation.
Note that this is not in any way affecting security of this theme or child themes - npm modules are used only for theme compilation and are/should not be deployed/installed to live. However we should fix this by updating related modules.
Here is the current security report:
- package name / level / recommendation
- minimist / multiple criticals / isntall >=1.2.6
- acorn / high / install >=5.7.4
- copy-props / high / install >=2.0.5
- merge / high / install >=2.1.1
- shelljs / high / install >=0.8.5
- http-cache-semantics / high / install >=4.1.1
- minimatch / high / install >=3.0.5
- glob-parent / high / install >=5.1.2
- ansi-regex / high / install >=3.0.1
- y18n / high / install >=3.2.2
- kind-of / high / install >=6.0.3
- ini / high / install >=1.3.6
- yargs-parser / moderate / install >=5.0.1
- ajv / moderate / install >=6.12.3
- jsonpointer / moderate / install >=5.0.0
- path-parse / moderate / install >=1.0.7
- hosted-git-info / moderate / install >=2.8.9
- decode-uri-component / low / install >=0.2.1
Comment | File | Size | Author |
---|---|---|---|
#3 | remove-and-update-node-libs-3347496-3.patch | 285.61 KB | pivica |
Comments
Comment #2
pivica CreditAttribution: pivica at MD Systems GmbH commentedComment #3
pivica CreditAttribution: pivica at MD Systems GmbH commentedHere is a patch.
npm/pnpm audit is now reporting just "glob-parent / high / install >=5.1.2" which we can not update for now because of gulp.
I've decided to remove gulp-sass-lint because is not maintained anymore, and we are not using it. It is using old version of minimist, acorn, merge, shelljs.
If we need linter it in the future we will replace it with something better - I think that core started pushing linter configurations with modern tools for CSS and JS which we should use if we want linters support.
Remove all stylelint packages - they are blocking update of various modules, and we are not using stylelint for now. Same decision as for gulp-sass-lint.
We can remove gulp-plumber package because we are not using it.
ajv we can remove when we remove gulp-sass-lint and all stylelint packages.
jsonpointer we can remove when we remove gulp-sass-lint.
Comment #5
pivica CreditAttribution: pivica at MD Systems GmbH commentedCommitted.