Contrib.social

Fix npm audit report, remove gulp-plumber, gulp-sass-lint and stylelint packages

Open on Drupal.org →
Created on 12 March 2023, almost 2 years ago
Updated 20 June 2023, over 1 year ago

Problem/Motivation

@Berdir reported that `npm audit` is complaining about multiple packages we are using are having security issues and we should improve situation.

Note that this is not in any way affecting security of this theme or child themes - npm modules are used only for theme compilation and are/should not be deployed/installed to live. However we should fix this by updating related modules.

Here is the current security report:

  • package name / level / recommendation
  • minimist / multiple criticals / isntall >=1.2.6
  • acorn / high / install >=5.7.4
  • copy-props / high / install >=2.0.5
  • merge / high / install >=2.1.1
  • shelljs / high / install >=0.8.5
  • http-cache-semantics / high / install >=4.1.1
  • minimatch / high / install >=3.0.5
  • glob-parent / high / install >=5.1.2
  • ansi-regex / high / install >=3.0.1
  • y18n / high / install >=3.2.2
  • kind-of / high / install >=6.0.3
  • ini / high / install >=1.3.6
  • yargs-parser / moderate / install >=5.0.1
  • ajv / moderate / install >=6.12.3
  • jsonpointer / moderate / install >=5.0.0
  • path-parse / moderate / install >=1.0.7
  • hosted-git-info / moderate / install >=2.8.9
  • decode-uri-component / low / install >=0.2.1
📌 Task
Status

Fixed

Version

1.0

Component

BS Base

Created by

🇷🇸Serbia pivica

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @pivica
  • Comment almost 2 years ago
    🇷🇸Serbia pivica
  • Status changed to Needs review almost 2 years ago
  • Comment almost 2 years ago
    🇷🇸Serbia pivica

    Here is a patch.

    npm/pnpm audit is now reporting just "glob-parent / high / install >=5.1.2" which we can not update for now because of gulp.

    I've decided to remove gulp-sass-lint because is not maintained anymore, and we are not using it. It is using old version of minimist, acorn, merge, shelljs.
    If we need linter it in the future we will replace it with something better - I think that core started pushing linter configurations with modern tools for CSS and JS which we should use if we want linters support.

    Remove all stylelint packages - they are blocking update of various modules, and we are not using stylelint for now. Same decision as for gulp-sass-lint.

    We can remove gulp-plumber package because we are not using it.

    ajv we can remove when we remove gulp-sass-lint and all stylelint packages.

    jsonpointer we can remove when we remove gulp-sass-lint.

  • Comment over 1 year ago
    System Message
    • pivica committed b224dae3 on 8.x-1.x 
      Issue #3347496 by pivica: Fix npm audit report, remove gulp-plumber,...
  • Status changed to Fixed over 1 year ago
  • Comment over 1 year ago
    🇷🇸Serbia pivica

    Committed.

  • Comment over 1 year ago
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024