WordPress.org

Make WordPress Core

Opened 4 weeks ago

Closed 4 weeks ago

Last modified 4 weeks ago

#49547 closed defect (bug) (fixed)

Update/Audit npm Dependencies for 5.4

Reported by: garrett-eclipse Owned by: SergeyBiryukov
Milestone: 5.4 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: needs-patch
Focuses: Cc:

Description

In 5.3 the security team did an audit/update to the NPM dependencies. This was done in #48203 by @whyisjake and @jorbin.

If it's not too late for 5.4 we should try to get in the habit for major releases to run through these and address as much as we can.

As of writing these running an npm install on trunk gives a warning for 16 vulnerabilities (1 low, 6 moderate, 9 high).

Attachments (2)

npm-audit.txt (34.9 KB) - added by garrett-eclipse 4 weeks ago.
Result of running npm audit
49547.1.patch (630 bytes) - added by ayeshrajans 4 weeks ago.
Here is a patch with the possible automated fixes.

Download all attachments as: .zip

Change History (6)

@garrett-eclipse
4 weeks ago

Result of running npm audit

#1 @SergeyBiryukov
4 weeks ago

  • Milestone changed from Awaiting Review to 5.4

@ayeshrajans
4 weeks ago

Here is a patch with the possible automated fixes.

#2 @SergeyBiryukov
4 weeks ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#3 @SergeyBiryukov
4 weeks ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 47404:

Build/Test Tools: Bump devDependencies for WordPress 5.4.

Props ayeshrajans, garrett-eclipse.
Fixes #49547.

#4 @whyisjake
4 weeks ago

Adding an upstream PR here: https://github.com/gruntjs/grunt-contrib-imagemin/pull/392.

There are a few issues we can fix and sneak into 5.4.

Note: See TracTickets for help on using tickets.