Replace deprecated dependency gulp-util

[jr-cologne]

Hi @thomas-darling,

I have recently come across your gulp plugin gulp-dependents when I was trying to fix incremental builds of sass files. Integrating gulp-dependents has been a very nice and quick way for boosting up the build performance while still being able to split things up in multiple files in order to keep everything organized.

Unfortunately, the dependencies of your plugin are quite outdated which of course raises some security concerns. Specifically, your plugin still requires gulp-util which has been deprecated for a few years now. Since last summer, there is actually a critical security vulnerability (CVE-2019-10744) in gulp-util's dependency lodash.template. In order to fix this issue, gulp-util should be replaced as a dependency of your plugin.

As no one seems to have tried submitting a PR for this important change yet, I really hope you are willing to publish a new version of your plugin to address this issue as well as a few other smaller things I stumbled across when working on this security fix.

So, here's a list of what I changed and why:

• [x] Replaced deprecated dependency gulp-util with the two alternatives vinyl (for util.File) and fancy-log (for util.log)
• [x] Added and enabled the esModuleInterop config for typescript as VS Code suggested that for imports
• [x] Updated dependencies of usage examples and properly added Gulp 4 as a dev dependency (you used to pull gulp from the github repo instead of npm for some reason)
• [x] Updated nearly all dependencies of your gulp plugin to make it more future-proof (including major version bumps of typescript, @types packages as well as through2)
• [x] Replaced deprecated script on prepublish with prepare in package.json

As these changes, especially the major version bumps, are quite radical, I hope I haven't unknowingly introduced any breaking changes. My tests and researches have neither shown any errors nor any other problems or incompatibilities which is why I believe everything should be fine. However, as I have never worked with TS before, I might overlook something. Moreover, the major update of through2 or the switch to the gulp-util alternatives could of course also raise issues I do not expect or know about. What I am basically trying to say: Please test this before blindly trusting my changes as I don't want to be responsible for a failing release. 😄 More importantly, you are free to revert/reject any changes which go to far in your opinion. I am happy to revert anything you don't like as long as gulp-util is being replaced as this is the most important change.

Alright, I hope I have explained everything sufficiently detailed and well enough so that you don't have to spend too much time on getting this PR merged. I really appreciate your time and efforts for maintaining this gulp plugin and hope that you still accept PR's even though there have been no updates of this repository for quite a while. I understand there might be more important projects so don't hesitate to let me wait for a while if you have no downtime for dealing with this PR.

Stay safe in those uncertain times and keep up the good work!

Kind regards from Germany, @jr-cologne

[thomas-darling]

Hi, @jr-cologne

Sorry for the lack of maintenance on this one - It's been a few years since I last worked on a project using Gulp, so that's why these plugins languished a bit :-)

The pull request looks good though, so of course I'd be happy to make a release. I'll just do some quick testing, and try to get it released this weekend :-)

Thanks for the help!

[jr-cologne]

Alright, no need to apologize. Thank you for taking the efforts to make a new release, I appreciate that! Have a nice day! 😃