Problem/Motivation

@Berdir reported that `npm audit` is complaining about multiple packages we are using are having security issues and we should improve situation.

Note that this is not in any way affecting security of this theme or child themes - npm modules are used only for theme compilation and are/should not be deployed/installed to live. However we should fix this by updating related modules.

Here is the current security report:

  • package name / level / recommendation
  • minimist / multiple criticals / isntall >=1.2.6
  • acorn / high / install >=5.7.4
  • copy-props / high / install >=2.0.5
  • merge / high / install >=2.1.1
  • shelljs / high / install >=0.8.5
  • http-cache-semantics / high / install >=4.1.1
  • minimatch / high / install >=3.0.5
  • glob-parent / high / install >=5.1.2
  • ansi-regex / high / install >=3.0.1
  • y18n / high / install >=3.2.2
  • kind-of / high / install >=6.0.3
  • ini / high / install >=1.3.6
  • yargs-parser / moderate / install >=5.0.1
  • ajv / moderate / install >=6.12.3
  • jsonpointer / moderate / install >=5.0.0
  • path-parse / moderate / install >=1.0.7
  • hosted-git-info / moderate / install >=2.8.9
  • decode-uri-component / low / install >=0.2.1
CommentFileSizeAuthor
#3 remove-and-update-node-libs-3347496-3.patch285.61 KBpivica

Comments

pivica created an issue. See original summary.

pivica’s picture

pivica commented
Title: Fix npm audit report » Fix npm audit report, remove gulp-plumber, gulp-sass-lint and stylelint packages
pivica’s picture

pivica commented
Status: Active » Needs review
StatusFileSize
new remove-and-update-node-libs-3347496-3.patch285.61 KB

Here is a patch.

npm/pnpm audit is now reporting just "glob-parent / high / install >=5.1.2" which we can not update for now because of gulp.

I've decided to remove gulp-sass-lint because is not maintained anymore, and we are not using it. It is using old version of minimist, acorn, merge, shelljs.
If we need linter it in the future we will replace it with something better - I think that core started pushing linter configurations with modern tools for CSS and JS which we should use if we want linters support.

Remove all stylelint packages - they are blocking update of various modules, and we are not using stylelint for now. Same decision as for gulp-sass-lint.

We can remove gulp-plumber package because we are not using it.

ajv we can remove when we remove gulp-sass-lint and all stylelint packages.

jsonpointer we can remove when we remove gulp-sass-lint.

  • pivica committed b224dae3 on 8.x-1.x 
    Issue #3347496 by pivica: Fix npm audit report, remove gulp-plumber,...
pivica’s picture

pivica commented
Status: Needs review » Fixed

Committed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.