Skip to content

Run npm audit fix to get rid of vulnerabilities#13876

Merged
gziolo merged 3 commits intomasterfrom
update/npm-audit-fix
Feb 15, 2019
Merged

Run npm audit fix to get rid of vulnerabilities#13876
gziolo merged 3 commits intomasterfrom
update/npm-audit-fix

Conversation

@gziolo
Copy link
Copy Markdown
Member

@gziolo gziolo commented Feb 14, 2019
edited
Loading

Before

$ npm install

audited 135059 packages in 46.027s
found 2033 vulnerabilities (2028 moderate, 5 high)
  run `npm audit fix` to fix them, or `npm audit` for details

After

$ npm audit fix

+ [email protected]
+ @babel/[email protected]
+ @babel/[email protected]
+ [email protected]
added 99 packages from 74 contributors, removed 26 packages, updated 93 packages and moved 5 packages in 26.426s
fixed 1149 of 2033 vulnerabilities in 135059 scanned packages
  884 vulnerabilities required manual review and could not be updated

$ npm install

audited 139596 packages in 42.954s
found 0 vulnerabilities

@gziolo gziolo added the [Type] Build Tooling Issues or PRs related to build tooling label Feb 14, 2019
@gziolo gziolo requested review from aduth and youknowriad February 14, 2019 15:14
@gziolo gziolo added this to the 5.1 (Gutenberg) milestone Feb 14, 2019
@gziolo
Copy link
Copy Markdown
Member Author

gziolo commented Feb 14, 2019

I'm also looking whether we should update lodash and @babel/* in all packages to the latest versions.

@aduth
Copy link
Copy Markdown
Member

aduth commented Feb 14, 2019

I'm also looking whether we should update lodash and @babel/* in all packages to the latest versions.

To this point, we updated the one instance of lodash here, but:

  • What about the many other instances of [email protected] which (still) exist as dependencies of individual modules?
  • Which of these, if any, should be tied explicitly to the version of Lodash shipped with core? (4.17.11)

@gziolo
Copy link
Copy Markdown
Member Author

gziolo commented Feb 14, 2019

I updated all instances of lodash to align with the root package.json file, and I did version bump for all @babel/* packages to prevent the same vulnerabilities to be the thing when packages are installed from npm.

See cb965b4

@nerrad
Copy link
Copy Markdown
Contributor

nerrad commented Feb 14, 2019

@gziolo
Copy link
Copy Markdown
Member Author

gziolo commented Feb 14, 2019
edited
Loading

Will there need to be a patch submitted to https://core.trac.wordpress.org for upping the lodash version in wp core

It was already bumped in core according to linked file from trunk.

  • Will CHANGELOG.md updates be needed for something like this?

I don't know. There are no breaking changes introduced. We should finally clarify what minor version bump of dependency means in the context of the changelog.

@gziolo gziolo self-assigned this Feb 14, 2019
@gziolo gziolo merged commit 9fa933f into master Feb 15, 2019
@gziolo gziolo deleted the update/npm-audit-fix branch February 15, 2019 07:38
@gziolo gziolo mentioned this pull request Feb 15, 2019
Merged
dmsnell
dmsnell reviewed Feb 16, 2019
View reviewed changes
packages/block-serialization-default-parser/package.json
"react-native": "src/index",
"dependencies": {
"@babel/runtime": "^7.0.0"
"@babel/runtime": "^7.3.1"
Copy link
Copy Markdown
Member

@dmsnell dmsnell Feb 16, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 thanks

This was referenced Feb 18, 2019
Merged
Merged
youknowriad pushed a commit that referenced this pull request Mar 6, 2019
@gziolo @youknowriad
Run npm audit fix to get rid of vulnerabilities (#13876)
be5a016 
* Run npm audit fix to get rid of vulnerabilities

* Bump all Babel packages to the latest version

* Update lodash version in PHP file
youknowriad pushed a commit that referenced this pull request Mar 6, 2019
@gziolo @youknowriad
Run npm audit fix to get rid of vulnerabilities (#13876)
a5d51a9 
* Run npm audit fix to get rid of vulnerabilities

* Bump all Babel packages to the latest version

* Update lodash version in PHP file
This was referenced Apr 30, 2020
Closed
Closed
Merged
Merged
Merged
Closed
Closed
Closed
Closed
Merged
Closed
Merged
Closed
Merged
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmsnell dmsnell dmsnell left review comments

@youknowriad youknowriad youknowriad approved these changes

@aduth aduth Awaiting requested review from aduth

@adamsilverstein adamsilverstein Awaiting requested review from adamsilverstein

@ajitbohra ajitbohra Awaiting requested review from ajitbohra

@atimmer atimmer Awaiting requested review from atimmer

@chrisvanpatten chrisvanpatten Awaiting requested review from chrisvanpatten

@ellatrix ellatrix Awaiting requested review from ellatrix

@jorgefilipecosta jorgefilipecosta Awaiting requested review from jorgefilipecosta

@mmtr mmtr Awaiting requested review from mmtr

@nerrad nerrad Awaiting requested review from nerrad

@noisysocks noisysocks Awaiting requested review from noisysocks

@oandregal oandregal Awaiting requested review from oandregal

@notnownikki notnownikki Awaiting requested review from notnownikki

@ntwb ntwb Awaiting requested review from ntwb

@Soean Soean Awaiting requested review from Soean

@swissspidy swissspidy Awaiting requested review from swissspidy

@talldan talldan Awaiting requested review from talldan

Assignees

@gziolo gziolo

Labels

[Type] Build Tooling Issues or PRs related to build tooling

Projects

None yet

Milestone

5.1 (Gutenberg)

Development

Successfully merging this pull request may close these issues.

5 participants

@gziolo @aduth @nerrad @youknowriad @dmsnell