#48203 closed defect (bug) (fixed)
Update/Audit npm Dependencies
Reported by: | whyisjake | Owned by: | jorbin |
---|---|---|---|
Milestone: | 5.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Build/Test Tools | Keywords: | has-patch needs-refresh |
Focuses: | Cc: |
Description
When running npm audit
there are several packages that have issues that can be resolved. This is a first pass at solving those issues.
Attachments (3)
Change History (13)
#3
@
5 years ago
@desrosj, for the final issues, I think we need to fork the grunt-replace
module. There doesn't seem to be any way to bring upstream changes as the security fixes have been open for over a year without being touched.
I could fork/publish to my person lib, but would it make sense to publish under the WordPress npm account?
#5
@
5 years ago
In this second patch, I have forked/updated the grunt-replace
library.
=== npm audit security report === found 0 vulnerabilities in 979296 scanned packages
#6
@
5 years ago
- Keywords needs-refresh added
- Milestone changed from 5.4 to 5.3
@whyisjake Can you update the patch here so that it only updates grunt-contrib-imagemin
, #48217 can update grunt-replace
please, just so that the fork docs associated with that commit are kept separate thanks.
Aslo don't remove the ~
tilde character from the SemVer range in package.json
Use "grunt-contrib-imagemin": "~3.1.0",
and not "grunt-contrib-imagemin": "3.1.0",
please
Happy for this group of tickets to land in 5.3 if you've the time to commit them soonish'
p.s Don't forget to regenerate the lock between these two tickets ;)
Was there a reason for going with an exact version number instead of a range like
~3.1.0
? Other than that, this looks good. I'm putting this in 5.4, but I don't feel strongly against committing this before 5.3 beta 3 if you have the time, @whyisjake.For reference, before this change the issues were listed as:
26 vulnerabilities (16 low, 7 moderate, 3 high)
and after the patch, the issues are listed as3 vulnerabilities (1 low, 2 high)
.Also, the results of
grunt imagemin
should also be committed after upgradinggrunt-contrib-imagemin
for consistency.