#38199 closed task (blessed) (fixed)
Update npm dependencies for 4.7
Reported by: | jorbin | Owned by: | jorbin |
---|---|---|---|
Milestone: | 4.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Build/Test Tools | Keywords: | |
Focuses: | Cc: |
Description
Standard tracking ticket for all 4.7 related npm package bumps.
Attachments (1)
Change History (18)
This ticket was mentioned in Slack in #core by jeffpaul. View the logs.
8 years ago
#4
follow-up:
↓ 5
@
8 years ago
Out of curiosity I ran yarn
to create a lock file and got the following output which I think is worth considering:
warning grunt > minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > glob > minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > findup-sync > glob > minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > glob > graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update tograceful-fs@^4.0.0
as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
warning grunt-patch-wordpress > request > tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
#5
in reply to:
↑ 4
@
8 years ago
Replying to swissspidy:
Out of curiosity I ran
yarn
to create a lock file and got the following output which I think is worth considering:
warning grunt > minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > glob > minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > findup-sync > glob > minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
warning grunt > glob > graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update tograceful-fs@^4.0.0
as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
warning grunt-patch-wordpress > request > tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
You'd should see the similar results from an npm install
.
And here's my fresh npm install result
for reference:
$ npm install npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue npm WARN deprecated graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree. npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130 npm WARN prefer global jshint@2.9.4 should be installed with -g npm WARN prefer global node-gyp@3.4.0 should be installed with -g
Side Note: My initial testing of YARN has been all positive, I've created ticket #38603 to explore adding Yarn further.
This ticket was mentioned in Slack in #core by helen. View the logs.
8 years ago
#15
@
8 years ago
Patch 38199.diff contains updates to grunt
, grunt-legacy-util
, and grunt-includes
grunt
0.4.5 -> 1.0.1 changelog-
grunt-legacy-util
0.2.0 -> 1.0.0 [https://github.com/gruntjs/grunt-legacy-util/compare/v0.2.0...v1.0.0 changelog` grunt-includes
0.5.4 -> 1.0.0 changelog
Research following commit r39118 and subsequent revert r39119 did *not* break the build server due to a NodeJS incompatibility:
-
grunt-includes
haspeerDependencies
of"grunt": ">=1.0.0"
(src) grunt-includes
has a minimum NodeJS version of"node": ">= 0.8.0"
(src)grunt-includes
incorporates Travis CI testing for NodeJS 0.10.x, with current Travis CI tests passing
I've tested each of the following tasks individually and each worked as expected:
grunt
,grunt build
grunt watch
(Tested watching PHP, CSS, SCSS, JS files)grunt travis:js
,grunt travis:phpunit
,grunt qunit
,grunt qunit:compiled
grunt precommit
,grunt prerelease
grunt includes
,grunt includes:emoji
,grunt includes:embed
What's the worst that could happen, Friday commit right here in 38199.diff #yolo
#16
follow-up:
↓ 17
@
8 years ago
- Resolution set to fixed
- Status changed from assigned to closed
Due to the build server having an old version of node and it causing issues, I'm going to close this ticket even though not everything is bumped and then bump the remaining things early in 4.8.
@netweb Each package needs to be bumped individually so that if there is a problem with the build we can easily track it down to what caused the issue.
#17
in reply to:
↑ 16
@
8 years ago
Replying to jorbin:
Due to the build server having an old version of node and it causing issues, I'm going to close this ticket even though not everything is bumped and then bump the remaining things early in 4.8.
@netweb Each package needs to be bumped individually so that if there is a problem with the build we can easily track it down to what caused the issue.
To clarify @39118 broke the build server server because it depends on Grunt v1.0.0, it was not due to the NodeJS version being used on the build server.
The reasoning behind why I added all 3 outstanding npm packages in a single patch was because they pretty much depend on each other :)
grunt-legacy-util
v1.0.0 (No new requirements, though released alongside Grunt v1.x for compat reasons)grunt
1.x requiresgrunt-legacy-util
v1.0.0grunt-includes
requiresgrunt
1.x
Note: when committing these as part of 4.8 early they need be committed in the above order if committed one by one
In 38688: