WordPress.org
Get WordPress

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#48217 closed defect (bug) (fixed)

Fork and Update `grunt-replace`

Reported by: whyisjake's profile whyisjake Owned by: jorbin's profile jorbin
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: has-patch commit
Focuses: Cc:

Description

The version of grunt replace that is bundled in core is using an outdated version of lodash that is bringing 2 low, 3 high, and 1 critical issue. This package is currently abandoned. There is a community forked version, but that is also harboring some similar security issues.

I have forked grunt-replace into grunt-replace-lts. This patch brings the new package over into core.

Related: #48203 and #48206

Attachments (1)

48217.diff (2.6 KB) - added by whyisjake 5 years ago.

Download all attachments as: .zip

Change History (5)

@whyisjake
5 years ago

#1 @whyisjake
5 years ago

NPM and Github

Ideally, we should try to push this upstream. The repo hasn't been active in almost two years, including open pull requests for security updates.

#2 @whyisjake
5 years ago

  • Component changed from General to Build/Test Tools

#3 @netweb
5 years ago

  • Keywords commit added; 2nd-opinion removed
  • Milestone changed from Awaiting Review to 5.3

The fork and patch 48217.diff LGTM @whyisjake

#4 @jorbin
5 years ago

  • Owner set to jorbin
  • Resolution set to fixed
  • Status changed from assigned to closed

In 46403:

Build/Test Tools: Fork and Update grunt-replace

The version of grunt replace that is bundled in core is using an outdated version of lodash that is bringing 2 low, 3 high, and 1 critical issue. This package is currently abandoned. There is a community forked version, but that is also harboring some similar security issues.

This switches to a fork by @whyisjake and causes no change to the build.

See #48203.
Fixes #48217.
Props whyisjake, netweb for testing.

Note: See TracTickets for help on using tickets.