cr0ybot / gulp-wp

A reusable, extendable, updatable Gulp workflow for WordPress themes & plugins
MIT License
26 stars 3 forks source link

Update dependencies, support Node 18 #35

Closed jerryklunk closed 1 year ago

jerryklunk commented 1 year ago

When I run 'npm install gulp-wp' I see a lot of " deprecated" warnings as well as "24 vulnerabilities (3 moderate, 21 high)" . Running 'npm audit fix' as suggested, doesn't seem to fix any of these. How do I update? Or is this not a worry?

Screen Shot 2023-01-19 at 9 28 10 AM Screen Shot 2023-01-19 at 9 29 35 AM
cr0ybot commented 1 year ago

Thanks for the report, @jerryklunk!

This is generally not a concern, as these dependencies are all dev dependencies—AKA they only run for the build workflow, and none of it is exposed to the client-side code of the final build.

You have a configuration file on your machine. You build your project. You get static HTML+CSS+JS in a folder. You put it on static hosting. There is simply no way for your application user to affect your package.json configuration. This doesn’t make any sense. If the attacker already has access to your machine and can change your configuration files, you have a much bigger problem than slow regular expressions!

Quoted from https://overreacted.io/npm-audit-broken-by-design/

This package does need a deps update for sure, but due to the nature of depending on gulp packages, most of which haven't been touched since 2016, I don't think it will ever not give deprecation and vulnerability warnings. As long as it works, we're good.

That said, I'll keep this issue open until I do a much-needed maintenance update. At the very least I need to pull in updates from @wordpress-scripts, and also try to see if I can get it to work properly with Node 18+.