Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run npm audit fix to get rid of vulnerabilities #13876

Merged
merged 3 commits into from
Feb 15, 2019
Merged

Run npm audit fix to get rid of vulnerabilities #13876

merged 3 commits into from
Feb 15, 2019

Conversation

gziolo
Copy link
Member

@gziolo gziolo commented Feb 14, 2019
edited
Loading

Before

$ npm install

audited 135059 packages in 46.027s
found 2033 vulnerabilities (2028 moderate, 5 high)
  run `npm audit fix` to fix them, or `npm audit` for details

After

$ npm audit fix

+ lerna@3.11.1
+ @babel/core@7.2.2
+ @babel/traverse@7.2.3
+ lodash@4.17.11
added 99 packages from 74 contributors, removed 26 packages, updated 93 packages and moved 5 packages in 26.426s
fixed 1149 of 2033 vulnerabilities in 135059 scanned packages
  884 vulnerabilities required manual review and could not be updated

$ npm install

audited 139596 packages in 42.954s
found 0 vulnerabilities

@gziolo gziolo added the [Type] Build Tooling Issues or PRs related to build tooling label Feb 14, 2019
@gziolo gziolo added this to the 5.1 (Gutenberg) milestone Feb 14, 2019
@gziolo
Copy link
Member Author

gziolo commented Feb 14, 2019

I'm also looking whether we should update lodash and @babel/* in all packages to the latest versions.

@aduth
Copy link
Member

aduth commented Feb 14, 2019

I'm also looking whether we should update lodash and @babel/* in all packages to the latest versions.

To this point, we updated the one instance of lodash here, but:

  • What about the many other instances of lodash@4.17.10 which (still) exist as dependencies of individual modules?
  • Which of these, if any, should be tied explicitly to the version of Lodash shipped with core? (4.17.11)

@gziolo
Copy link
Member Author

gziolo commented Feb 14, 2019

I updated all instances of lodash to align with the root package.json file, and I did version bump for all @babel/* packages to prevent the same vulnerabilities to be the thing when packages are installed from npm.

See cb965b4

@nerrad
Copy link
Contributor

nerrad commented Feb 14, 2019

  • Will CHANGELOG.md updates be needed for something like this?
  • Will there need to be a patch submitted to https://core.trac.wordpress.org for upping the lodash version in wp core (or is that what @aduth's comment above already addresses?)

@gziolo
Copy link
Member Author

gziolo commented Feb 14, 2019
edited
Loading

Will there need to be a patch submitted to https://core.trac.wordpress.org for upping the lodash version in wp core

It was already bumped in core according to linked file from trunk.

  • Will CHANGELOG.md updates be needed for something like this?

I don't know. There are no breaking changes introduced. We should finally clarify what minor version bump of dependency means in the context of the changelog.

@gziolo gziolo self-assigned this Feb 14, 2019
@gziolo gziolo merged commit 9fa933f into master Feb 15, 2019
@gziolo gziolo deleted the update/npm-audit-fix branch February 15, 2019 07:38
@gziolo gziolo mentioned this pull request Feb 15, 2019
Merged
dmsnell
dmsnell reviewed Feb 16, 2019
View reviewed changes
packages/block-serialization-default-parser/package.json
@@ -21,7 +21,7 @@
"module": "build-module/index.js",
"react-native": "src/index",
"dependencies": {
"@babel/runtime": "^7.0.0"
"@babel/runtime": "^7.3.1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 thanks

This was referenced Feb 18, 2019
Merged
Merged
youknowriad pushed a commit that referenced this pull request Mar 6, 2019
@gziolo @youknowriad
Run npm audit fix to get rid of vulnerabilities (#13876)
be5a016 
* Run npm audit fix to get rid of vulnerabilities

* Bump all Babel packages to the latest version

* Update lodash version in PHP file
youknowriad pushed a commit that referenced this pull request Mar 6, 2019
@gziolo @youknowriad
Run npm audit fix to get rid of vulnerabilities (#13876)
a5d51a9 
* Run npm audit fix to get rid of vulnerabilities

* Bump all Babel packages to the latest version

* Update lodash version in PHP file
This was referenced Apr 30, 2020
Closed
Closed
Merged
Merged
Merged
Closed
Closed
Closed
Closed
Merged
Closed
Merged
Closed
Merged
Closed
Closed
Closed
This was referenced Jul 16, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmsnell dmsnell dmsnell left review comments

@youknowriad youknowriad youknowriad approved these changes

@aduth aduth Awaiting requested review from aduth

@adamsilverstein adamsilverstein Awaiting requested review from adamsilverstein

@ajitbohra ajitbohra Awaiting requested review from ajitbohra

@atimmer atimmer Awaiting requested review from atimmer

@chrisvanpatten chrisvanpatten Awaiting requested review from chrisvanpatten

@ellatrix ellatrix Awaiting requested review from ellatrix

@jorgefilipecosta jorgefilipecosta Awaiting requested review from jorgefilipecosta

@mmtr mmtr Awaiting requested review from mmtr

@nerrad nerrad Awaiting requested review from nerrad

@noisysocks noisysocks Awaiting requested review from noisysocks

@oandregal oandregal Awaiting requested review from oandregal

@notnownikki notnownikki Awaiting requested review from notnownikki

@ntwb ntwb Awaiting requested review from ntwb

@Soean Soean Awaiting requested review from Soean

@swissspidy swissspidy Awaiting requested review from swissspidy

@talldan talldan Awaiting requested review from talldan

Assignees

@gziolo gziolo

Labels
[Type] Build Tooling Issues or PRs related to build tooling
Projects
None yet
Milestone
5.1 (Gutenberg)
Development

Successfully merging this pull request may close these issues.
5 participants
@gziolo @aduth @nerrad @youknowriad @dmsnell