Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run npm audit fix to get rid of vulnerabilities #13876

Merged
merged 3 commits into from
Feb 15, 2019
Merged

Conversation

gziolo
Copy link
Member

@gziolo gziolo commented Feb 14, 2019

Before

$ npm install

audited 135059 packages in 46.027s
found 2033 vulnerabilities (2028 moderate, 5 high)
  run `npm audit fix` to fix them, or `npm audit` for details

After

$ npm audit fix

+ lerna@3.11.1
+ @babel/core@7.2.2
+ @babel/traverse@7.2.3
+ lodash@4.17.11
added 99 packages from 74 contributors, removed 26 packages, updated 93 packages and moved 5 packages in 26.426s
fixed 1149 of 2033 vulnerabilities in 135059 scanned packages
  884 vulnerabilities required manual review and could not be updated

$ npm install

audited 139596 packages in 42.954s
found 0 vulnerabilities

@gziolo gziolo added the [Type] Build Tooling Issues or PRs related to build tooling label Feb 14, 2019
@gziolo gziolo added this to the 5.1 (Gutenberg) milestone Feb 14, 2019
@gziolo
Copy link
Member Author

gziolo commented Feb 14, 2019

I'm also looking whether we should update lodash and @babel/* in all packages to the latest versions.

@aduth
Copy link
Member

aduth commented Feb 14, 2019

I'm also looking whether we should update lodash and @babel/* in all packages to the latest versions.

To this point, we updated the one instance of lodash here, but:

  • What about the many other instances of lodash@4.17.10 which (still) exist as dependencies of individual modules?
  • Which of these, if any, should be tied explicitly to the version of Lodash shipped with core? (4.17.11)

@gziolo
Copy link
Member Author

gziolo commented Feb 14, 2019

I updated all instances of lodash to align with the root package.json file, and I did version bump for all @babel/* packages to prevent the same vulnerabilities to be the thing when packages are installed from npm.

See cb965b4

@nerrad
Copy link
Contributor

nerrad commented Feb 14, 2019

  • Will CHANGELOG.md updates be needed for something like this?
  • Will there need to be a patch submitted to https://core.trac.wordpress.org for upping the lodash version in wp core (or is that what @aduth's comment above already addresses?)

@gziolo
Copy link
Member Author

gziolo commented Feb 14, 2019

Will there need to be a patch submitted to https://core.trac.wordpress.org for upping the lodash version in wp core

It was already bumped in core according to linked file from trunk.

  • Will CHANGELOG.md updates be needed for something like this?

I don't know. There are no breaking changes introduced. We should finally clarify what minor version bump of dependency means in the context of the changelog.

@gziolo gziolo self-assigned this Feb 14, 2019
@gziolo gziolo merged commit 9fa933f into master Feb 15, 2019
@gziolo gziolo deleted the update/npm-audit-fix branch February 15, 2019 07:38
@@ -21,7 +21,7 @@
"module": "build-module/index.js",
"react-native": "src/index",
"dependencies": {
"@babel/runtime": "^7.0.0"
"@babel/runtime": "^7.3.1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 thanks

youknowriad pushed a commit that referenced this pull request Mar 6, 2019
* Run npm audit fix to get rid of vulnerabilities

* Bump all Babel packages to the latest version

* Update lodash version in PHP file
youknowriad pushed a commit that referenced this pull request Mar 6, 2019
* Run npm audit fix to get rid of vulnerabilities

* Bump all Babel packages to the latest version

* Update lodash version in PHP file
This was referenced Apr 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
[Type] Build Tooling Issues or PRs related to build tooling
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants