WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#38199 closed task (blessed) (fixed)

Update npm dependencies for 4.7

Reported by: jorbin Owned by: jorbin
Milestone: 4.7 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords:
Focuses: Cc:

Description

Standard tracking ticket for all 4.7 related npm package bumps.

Attachments (1)

38199.diff (824 bytes) - added by netweb 4 years ago.

Download all attachments as: .zip

Change History (18)

#1 @jorbin
4 years ago

In 38688:

Build/Test: Bump Autoprefixer to 6.5.0

Also includes a new prefixed value.

Changes:
6.5 “Einigkeit und Recht und Freiheit”

  • Add defaults keyword to browsers requirements.
  • Fix CSS Grid Layout support.
  • Fix align-self cleaning.

6.4.1

  • Fix node cloning after some PostCSS plugins.

6.4 “Hic et ubique terrarum”

  • Add :any-link selector support.
  • Add text-decoration-skip support.
  • Add transition: duration property support.
  • Fix -webkit- prefix for backface-visibility.
  • Fix rad unit support in gradients (by 刘祺).
  • Fix transition support in Opera 12.
  • Removed Safari TP Grid prefixes support.

6.3.7

  • Fix rare Cannot read property 'constructor' of null issue.

6.3.6

  • Add Safari TP prefix support for Grid Layout.

6.3.5

  • Fix duplicate prefixes for -ms-interpolation-mode.

6.3.4

  • Show users coverage for selected browsers in info().

28.0

  • Happy Birthday @nacin

See #38199

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


4 years ago

#3 @jbpaul17
4 years ago

  • Owner set to jorbin
  • Status changed from new to assigned

#4 follow-up: @swissspidy
4 years ago

Out of curiosity I ran yarn to create a lock file and got the following output which I think is worth considering:

warning grunt > minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > glob > minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > findup-sync > glob > minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > glob > graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
warning grunt-patch-wordpress > request > tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130

#5 in reply to: ↑ 4 @netweb
4 years ago

Replying to swissspidy:

Out of curiosity I ran yarn to create a lock file and got the following output which I think is worth considering:

warning grunt > minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > glob > minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > findup-sync > glob > minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > glob > graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
warning grunt-patch-wordpress > request > tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130

You'd should see the similar results from an npm install.

And here's my fresh npm install result for reference:

$ npm install
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
npm WARN prefer global jshint@2.9.4 should be installed with -g
npm WARN prefer global node-gyp@3.4.0 should be installed with -g

Side Note: My initial testing of YARN has been all positive, I've created ticket #38603 to explore adding Yarn further.

This ticket was mentioned in Slack in #core by helen. View the logs.


4 years ago

#8 @jorbin
4 years ago

In 39113:

Bump grunt-contrib-qunit from 1.1.0 to 1.2.0

Changlog:
2016-04-14   v1.2.0   Add support for filtering running modules using command line (--modules) Removed 'grunt.warn' output from error.onError handler, onus now on end user binding to event. Update docs.

See #38199.

#9 @jorbin
4 years ago

In 39114:

Bump autoprefixer from 6.5.0 to 6.5.1

Changelog
Fix selectors with :-- prefix support.

See #38199.

M package.json

#10 @jorbin
4 years ago

In 39115:

Bump grunt-contrib-compress from 1.1.0 to 1.3.0

Changelog:
2016-05-24   v1.3.0   Update to Archiver 1.0. Fix node 6 support.
2016-03-24   v1.2.0   Dependency update.

See #38199

#11 @jorbin
4 years ago

In 39116:

Bump grunt-contrib-cssmin from v1.0.0 to v1.0.2

Changelog:
2016-08-31   v1.0.2   Fix issues for node 6.
2016-03-16   v1.0.1   Downgrade maxmin to support Node.js 0.10.

See #38199.

#12 @jorbin
4 years ago

In 39117:

Bump grunt-contrib-uglify from 1.0.1 to 2.0.0

Sets screwIE8 to false as it is now enabled by default

Files Changed:
build/wp-admin/js/customize-nav-menus.min.js
build/wp-admin/js/customize-widgets.min.js
build/wp-includes/js/customize-loader.min.js

Changelog:
2016-07-19   v2.0.0   Update uglify-js to v2.7.0. screwIE8 is enabled by default.
2016-07-19   v1.0.2   Update grunt to 1.0.0. Fix beautify when passed as an object. Fix docs about report values.

See #38199.

#14 @jorbin
4 years ago

In 39119:

Revert [39118] due to incompatibility with node v0.10.x

Props nacin

See #38199.

@netweb
4 years ago

#15 @netweb
4 years ago

Patch 38199.diff contains updates to grunt, grunt-legacy-util, and grunt-includes

Research following commit r39118 and subsequent revert r39119 did *not* break the build server due to a NodeJS incompatibility:

  • grunt-includes has peerDependencies of "grunt": ">=1.0.0" (src)
  • grunt-includes has a minimum NodeJS version of "node": ">= 0.8.0" (src)
  • grunt-includes incorporates Travis CI testing for NodeJS 0.10.x, with current Travis CI tests passing

I've tested each of the following tasks individually and each worked as expected:

  • grunt, grunt build
  • grunt watch (Tested watching PHP, CSS, SCSS, JS files)
  • grunt travis:js, grunt travis:phpunit,
  • grunt qunit, grunt qunit:compiled
  • grunt precommit, grunt prerelease
  • grunt includes,grunt includes:emoji, grunt includes:embed

What's the worst that could happen, Friday commit right here in 38199.diff #yolo

#16 follow-up: @jorbin
4 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

Due to the build server having an old version of node and it causing issues, I'm going to close this ticket even though not everything is bumped and then bump the remaining things early in 4.8.

@netweb Each package needs to be bumped individually so that if there is a problem with the build we can easily track it down to what caused the issue.

#17 in reply to: ↑ 16 @netweb
4 years ago

Replying to jorbin:

Due to the build server having an old version of node and it causing issues, I'm going to close this ticket even though not everything is bumped and then bump the remaining things early in 4.8.

@netweb Each package needs to be bumped individually so that if there is a problem with the build we can easily track it down to what caused the issue.

To clarify @39118 broke the build server server because it depends on Grunt v1.0.0, it was not due to the NodeJS version being used on the build server.

The reasoning behind why I added all 3 outstanding npm packages in a single patch was because they pretty much depend on each other :)

  1. grunt-legacy-util v1.0.0 (No new requirements, though released alongside Grunt v1.x for compat reasons)
  2. grunt 1.x requires grunt-legacy-util v1.0.0
  3. grunt-includes requires grunt 1.x

Note: when committing these as part of 4.8 early they need be committed in the above order if committed one by one

Note: See TracTickets for help on using tickets.