Skip to content

Scripts: Update puppeteer-core dependency#64597

Merged
gziolo merged 9 commits into
WordPress:trunkfrom
jacobcassidy:wp-scripts-fix
Sep 4, 2024
Merged

Scripts: Update puppeteer-core dependency#64597
gziolo merged 9 commits into
WordPress:trunkfrom
jacobcassidy:wp-scripts-fix

Conversation

@jacobcassidy
Copy link
Copy Markdown
Contributor

@jacobcassidy jacobcassidy commented Aug 17, 2024
edited
Loading

What?

Upgrades the puppeteer-core package to the latest version (23.1.0).

Why?

This PR fixes the issue with @wordpress/scripts having five high-severity vulnerabilities introduced with an older version of the puppeteer-core package.

See: #63771

How?

Removes the sub-dependencies versions with vulnerabilities.

Testing Instructions

  1. In a WP theme development environment, run npm install @wordpress/scripts path webpack-remove-empty-scripts --save-dev
  2. Run npm audit and you'll see a warning for 5 high-severity vulnerabilities.
  3. Add the following to your package.json file: 
    "overrides": {
    "puppeteer-core": "^23.1.0"
}
  4. Run npm install to update the packages.
  5. The vulnerabilities are now removed.

@jacobcassidy
Fix the issue with @wordpress/scripts having 5 high severity vulner…
af26f62 
…abilities by upgrading the `puppeteer-core` package to the latest version (23.1.0)
@jacobcassidy
Update scripts package version to 28.6.0
7373486
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Aug 17, 2024
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: jacobcassidy <[email protected]>
Co-authored-by: gziolo <[email protected]>
Co-authored-by: Mamaduka <[email protected]>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions github-actions Bot added the First-time Contributor Pull request opened by a first-time contributor to Gutenberg repository label Aug 17, 2024
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Aug 17, 2024

👋 Thanks for your first Pull Request and for helping build the future of Gutenberg and WordPress, @jacobcassidy! In case you missed it, we'd love to have you join us in our Slack community.

If you want to learn more about WordPress development in general, check out the Core Handbook full of helpful information.

@jacobcassidy jacobcassidy changed the title Wp scripts fix WP-Scripts fix Aug 17, 2024
@shail-mehta shail-mehta added the [Tool] WP Scripts /packages/scripts label Aug 18, 2024
gziolo
gziolo reviewed Aug 20, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@gziolo gziolo left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for opening this issue. There are some details to polish related to the packages release process. I also see some CI issues reported that need to be further investigated. It looks like the changes to the package-lock.json will require some tweaks to make it work with the monorepo.

@Mamaduka and @swissspidy – do we still use Puppeteer for e2e tests in any place in Gutenebrg or WordPress core? What's the plan with the scripts powered by Puppeteer? How can we test these changes?

Comment thread packages/scripts/package.json
Comment thread packages/scripts/CHANGELOG.md Outdated
@Mamaduka
Copy link
Copy Markdown
Member

Mamaduka commented Aug 20, 2024

@gziolo, we do not, but it needs to be removed in a backward-compatible manner. See #60357.

@Mamaduka Mamaduka changed the title WP-Scripts fix Scripts: Update dependencies Aug 20, 2024
gziolo
gziolo approved these changes Aug 30, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@gziolo gziolo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the follow-up commits. It's good to go.

@gziolo gziolo changed the title Scripts: Update dependencies Scripts: Update puppeteer-core dependency Aug 30, 2024
@gziolo gziolo enabled auto-merge (squash) August 30, 2024 06:34
@gziolo gziolo disabled auto-merge August 30, 2024 06:35
@jacobcassidy
Copy link
Copy Markdown
Contributor Author

jacobcassidy commented Aug 30, 2024

@gziolo Thanks for the instructions and follow-up.

@gziolo gziolo added the [Type] Breaking Change For PRs that introduce a change that will break existing functionality label Aug 30, 2024
@gziolo gziolo enabled auto-merge (squash) August 30, 2024 06:37
@gziolo
Copy link
Copy Markdown
Member

gziolo commented Aug 30, 2024

It looks like ESLint detected that puppeteer-core doesn't get installed in the top node_modules folder. To fix it, we would have to put puppeteer-core as a dev dependency in the main package.json file. Remove all changes added in this branch to the main package-lock.json file. Run npm install, and it should all be good.

@gziolo gziolo disabled auto-merge August 30, 2024 07:17
@gziolo gziolo enabled auto-merge (squash) September 4, 2024 10:59
@gziolo gziolo merged commit 6accdd3 into WordPress:trunk Sep 4, 2024
@github-actions github-actions Bot added this to the Gutenberg 19.2 milestone Sep 4, 2024
@acicovic acicovic mentioned this pull request Sep 17, 2024
Closed
@jacobcassidy jacobcassidy mentioned this pull request Sep 19, 2024
Closed
@kjroelke kjroelke mentioned this pull request Nov 27, 2024
Closed
2 tasks
@jacobcassidy jacobcassidy deleted the wp-scripts-fix branch April 3, 2025 00:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gziolo gziolo gziolo approved these changes

@ntwb ntwb Awaiting requested review from ntwb ntwb is a code owner

@nerrad nerrad Awaiting requested review from nerrad nerrad is a code owner

@ajitbohra ajitbohra Awaiting requested review from ajitbohra ajitbohra is a code owner

@ryanwelcher ryanwelcher Awaiting requested review from ryanwelcher ryanwelcher is a code owner

Assignees

No one assigned

Labels

First-time Contributor Pull request opened by a first-time contributor to Gutenberg repository [Tool] WP Scripts /packages/scripts [Type] Breaking Change For PRs that introduce a change that will break existing functionality

Projects

None yet

Milestone

Gutenberg 19.2

Development

Successfully merging this pull request may close these issues.

4 participants

@jacobcassidy @Mamaduka @gziolo @shail-mehta