Closed jr-cologne closed 4 years ago
Hi, @jr-cologne
Sorry for the lack of maintenance on this one - It's been a few years since I last worked on a project using Gulp, so that's why these plugins languished a bit :-)
The pull request looks good though, so of course I'd be happy to make a release. I'll just do some quick testing, and try to get it released this weekend :-)
Thanks for the help!
Alright, no need to apologize. Thank you for taking the efforts to make a new release, I appreciate that! Have a nice day! 😃
Hi @thomas-darling,
I have recently come across your gulp plugin
gulp-dependents
when I was trying to fix incremental builds ofsass
files. Integratinggulp-dependents
has been a very nice and quick way for boosting up the build performance while still being able to split things up in multiple files in order to keep everything organized.Unfortunately, the dependencies of your plugin are quite outdated which of course raises some security concerns. Specifically, your plugin still requires
gulp-util
which has been deprecated for a few years now. Since last summer, there is actually a critical security vulnerability (CVE-2019-10744) ingulp-util
's dependencylodash.template
. In order to fix this issue,gulp-util
should be replaced as a dependency of your plugin.As no one seems to have tried submitting a PR for this important change yet, I really hope you are willing to publish a new version of your plugin to address this issue as well as a few other smaller things I stumbled across when working on this security fix.
So, here's a list of what I changed and why:
gulp-util
with the two alternativesvinyl
(forutil.File
) andfancy-log
(forutil.log
)esModuleInterop
config for typescript as VS Code suggested that for importsgulp
from the github repo instead of npm for some reason)typescript
,@types
packages as well asthrough2
)prepublish
withprepare
inpackage.json
As these changes, especially the major version bumps, are quite radical, I hope I haven't unknowingly introduced any breaking changes. My tests and researches have neither shown any errors nor any other problems or incompatibilities which is why I believe everything should be fine. However, as I have never worked with TS before, I might overlook something. Moreover, the major update of
through2
or the switch to thegulp-util
alternatives could of course also raise issues I do not expect or know about. What I am basically trying to say: Please test this before blindly trusting my changes as I don't want to be responsible for a failing release. 😄 More importantly, you are free to revert/reject any changes which go to far in your opinion. I am happy to revert anything you don't like as long asgulp-util
is being replaced as this is the most important change.Alright, I hope I have explained everything sufficiently detailed and well enough so that you don't have to spend too much time on getting this PR merged. I really appreciate your time and efforts for maintaining this gulp plugin and hope that you still accept PR's even though there have been no updates of this repository for quite a while. I understand there might be more important projects so don't hesitate to let me wait for a while if you have no downtime for dealing with this PR.
Stay safe in those uncertain times and keep up the good work!
Kind regards from Germany, @jr-cologne