The bootstrap_sass/package.json file has deprecated dependencies and devdependencies.

The current packages need to be updated to eliminate errors and security vulnerabilities in deprecated packages.

CommentFileSizeAuthor
#8 package-lock.json_.txt530.89 KBemptyvoid
#7 2025-01-29-security-gull-scss-lint-report.png112.63 KBemptyvoid
#7 2025-01-29-security-gull-scss-lint-image.png124.35 KBemptyvoid
#6 after-apply-chnages.png349.06 KBravi kant
#3 gulp-run-error.png567.58 KBravi kant

Issue fork bootstrap_sass-3437699

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

kenfordesign created an issue. See original summary.

ravi kant made their first commit to this issue’s fork.

ravi kant’s picture

ravi kant commented
StatusFileSize
new gulp-run-error.png567.58 KB

Getting error when running gulp command.

error

DamienMcKenna opened merge request !20

damienmckenna’s picture

damienmckenna
Location TN, USA
commented
Version: 5.0.10 » 5.x-dev
Status: Active » Needs work

After I apply the change locally I can't compile the theme anymore, when I run "gulp" I get this:

$ gulp
[07:06:13] Unsupported gulp version
ravi kant’s picture

ravi kant commented
Status: Needs work » Needs review
StatusFileSize
new after-apply-chnages.png349.06 KB

@DamienMcKenna

I am using below version of gulp

CLI version: 3.0.0
Local version: 5.0.0

Also i have fixed compiling error.

after

emptyvoid’s picture

emptyvoid commented
StatusFileSize
new 2025-01-29-security-gull-scss-lint-image.png124.35 KB
new 2025-01-29-security-gull-scss-lint-report.png112.63 KB

This may be related, let me know if I should post a new issue.

But this package has serious security notices blocking release for our government projects.
Is there an alternative package which could be used or some way to fix the injection security issues?

https://www.npmjs.com/package/gulp-scss-lint?activeTab=readme

Security check notice
node security audit

Security Report on issue
Security report

What options do we have to replace it or fix this issue?

emptyvoid’s picture

emptyvoid commented
StatusFileSize
new package-lock.json_.txt530.89 KB

Found a commit for the library waiting on it to be merged into an release.

https://github.com/juanfran/gulp-scss-lint/pull/95

package-lock.json uploaded with the patch commit fixing the security issue.

 "gulp-scss-lint": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/gulp-scss-lint/-/gulp-scss-lint-1.0.0.tgz",
      "integrity": "sha512-oiaBUSHYySCvKSXymObuvThhfrqjxReqmFyZrABGspVnPJhzjDcSGb1s+9IURcWa5yZmgZTrsyQ1/ImRDWmg8A==",
      "dev": true,
      "requires": {
        "bluebird": "^3.3.5",
        "chalk": "^2.4.1",
        "dargs": "~6.0.0",
        "event-stream": "3.3.4",
        "fancy-log": "^1.3.2",
        "plugin-error": "^1.0.1",
        "pretty-data": "^0.40.0",
        "shell-escape": "^0.2.0",
        "slash": "^2.0.0",
        "vinyl": "^2.2.0",
        "vinyl-fs": "^3.0.3",
        "xml2js": "^0.4.16"
      },
"node_modules/gulp-scss-lint": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/pathval/-/pathval-1.1.1.tgz",
      "integrity": "sha512-Dp6zGqpTdETdR63lehJYPeIOqpiNBNtc7BpWSLrOje7UaIsE5aY92r/AunQA7rsXvet3lrJ3JnZX29UPTKXyKQ==",
      "dev": true,
      "dependencies": {
        "bluebird": "^3.3.5",
        "chalk": "^2.4.1",
        "dargs": "~6.0.0",
        "event-stream": "3.3.4",
        "fancy-log": "^1.3.2",
        "plugin-error": "^1.0.1",
        "pretty-data": "^0.40.0",
        "shell-escape": "^0.2.0",
        "slash": "^2.0.0",
        "vinyl": "^2.2.0",
        "vinyl-fs": "^3.0.3",
        "xml2js": "^0.4.16"
      },
      "engines": {
        "node": ">= 0.10"
      }
    },

So manually add this to your custom theme built from the contrib theme or get this committed to a release at some point?