WordPress.org

Make WordPress Core

Opened 4 months ago

Closed 12 days ago

#49768 closed defect (bug) (fixed)

Update/Audit NPM dependencies for 5.5

Reported by: whyisjake Owned by: whyisjake
Milestone: 5.5 Priority: normal
Severity: normal Version: trunk
Component: Build/Test Tools Keywords: has-patch
Focuses: Cc:

Description

Carrying some of the work out of #49547, we were able to push some upstream dependencies to update.

Attachments (4)

49768.diff (25.1 KB) - added by whyisjake 4 months ago.
49768.2.diff (44.4 KB) - added by SergeyBiryukov 4 months ago.
49768.3.diff (103.5 KB) - added by SergeyBiryukov 2 months ago.
49768-themes.diff (552.9 KB) - added by desrosj 2 months ago.

Download all attachments as: .zip

Change History (28)

#1 @whyisjake
4 months ago

  • Owner set to whyisjake
  • Status changed from new to assigned

@whyisjake
4 months ago

#2 @SergeyBiryukov
4 months ago

#49707 was marked as a duplicate.

This ticket was mentioned in PR #212 on WordPress/wordpress-develop by whyisjake.


4 months ago

Dependency bump coming out of a security audit.

Trac ticket: https://core.trac.wordpress.org/ticket/49768

#4 @SergeyBiryukov
4 months ago

  • Keywords has-patch added

With grunt-contrib-qunit bumped to 3.1.0 and now requiring puppeteer, PUPPETEER_SKIP_CHROMIUM_DOWNLOAD apparently needs to be reset for JS tests to pass, otherwise they produce a fatal error as seen in this build:

>> There was an error with headless chrome
Fatal error: Chromium revision is not downloaded. Run "npm install" or "yarn install"

49768.2.diff handles that, and also keeps tilde and caret ranges for grunt, grunt-contrib-imagemin, and grunt-contrib-qunit versions in package.json.

#5 @whyisjake
2 months ago

There are still like 20k warnings, but I want to get this committed, and then work on paring down the rest.

#6 @whyisjake
2 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 47867:

Build/Test Tools: Bump devDependencies for WordPress 5.5

There are several other changes that need to be made for the security audit, this is just the first pass.

Fixes #49768.
Props SergeyBiryukov, whyisjake.

#7 @whyisjake
2 months ago

In 47868:

Build/Test Tools: Bump devDependencies for WordPress 5.5.

Bumping a few more dependencies as a result of npm audit.

Fixes #49768.
Props whyisjake.

#8 @SergeyBiryukov
2 months ago

  • Keywords needs-patch added; has-patch removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

[47868] was reverted in [47869], reopening for further work.

Last edited 2 months ago by SergeyBiryukov (previous) (diff)

#9 @SergeyBiryukov
2 months ago

For reference, the build failed with:

npm ERR! Invalid dependency type requested: alias

npm can handle dependency aliases since version 6.9.0, WordPress is still using 6.1.0. It seems like bumping the version should fix the failures.

#10 @SergeyBiryukov
2 months ago

Per comment 5 on #meta4974:

Version 12.16.3 of node.js and version 6.14.4 of NPM have been deployed to the build infrastructure

It should therefore be possible to use these newer versions in core.

#11 @SergeyBiryukov
2 months ago

With 49768.3.diff, the build passes.

I've left out the @wordpress/scripts version bump, as it's generally up to the Editor team to bump those dependencies in tickets like [47106] / #49204.

Last edited 2 months ago by SergeyBiryukov (previous) (diff)

#12 @SergeyBiryukov
2 months ago

  • Keywords has-patch added; needs-patch removed

#13 @SergeyBiryukov
2 months ago

In 47872:

Build/Test Tools: Switch to Node 12.16.0 (LTS) and npm 6.14.0.

See #49768.

#14 @SergeyBiryukov
2 months ago

In 47873:

Build/Test Tools: Bump node-sass and webpack-dev-server versions as a result of npm audit.

Props whyisjake.
See #49768.

#15 @whyisjake
2 months ago

Thanks for digging into this @SergeyBiryukov.

#16 @desrosj
2 months ago

49768-themes.diff updates a few packages in Twenty Twenty and Twenty Nineteen to the latest versions and addresses a few issues flagged by npm audit. I ran tests, and everything seemed to work correctly to me. The only difference in behavior as a result of these changes is the consolidation of a single CSS rule.

#17 @desrosj
2 months ago

In 47925:

Bundled Themes: Update several package versions in Twenty Twenty and Twenty Nineteen.

The following packages received version bumps:

Twenty Twenty

  • concurrently
  • postcss-cli
  • rtlcss
  • stylelint-a11y

Twenty Nineteen

  • node-sass
  • postcss-cli
  • rtlcss

See #49768.

This ticket was mentioned in Slack in #core by whyisjake. View the logs.


6 weeks ago

#19 @whyisjake
6 weeks ago

#49702 was marked as a duplicate.

#20 @whyisjake
6 weeks ago

#49840 was marked as a duplicate.

#21 @whyisjake
4 weeks ago

In 48434:

Build/Test Tools: Bump lodash as part of an npm audit.

lodash 4.17.17 👉 4.17.19

See #49768.

#22 @whyisjake
3 weeks ago

In 48501:

Build/Test Tools: Bump lodash in twentytwenty as part of a security audit.

lodash: 4.17.15 👉 4.17.19

See #49768.
Props: dependabot.

#23 @desrosj
2 weeks ago

In 48515:

Build/Test Tools: Update NPM packages in Twenty Nineteen.

This updates three packages:

  • @wordpress/browserslist-config from 2.5.0 to 2.7.0
  • autoprefixer from 9.6.0 to 9.8.5.
  • chokidar-cli from 2.0.0 to 2.1.0

See #49768.

#24 @SergeyBiryukov
12 days ago

  • Resolution set to fixed
  • Status changed from reopened to closed

Follow-up: #50769

Note: See TracTickets for help on using tickets.