search

uswds / uswds-compile

Simple Gulp 4 functions for copying USWDS static assets and transforming USWDS Sass into browser-readable CSS.
Other
21 stars 12 forks source link

USWDS-Compile - POAM: May '24 #101

Closed mahoneycm closed 3 months ago

mahoneycm commented 3 months ago

Summary

Updated non-vulnerable dependencies including the USWDS package.

Snyk errors

Updated snyk ignore to resolve the following issues:

npx snyk ignore --id="SNYK-JS-BRACES-6838727" --reason="No available upgrade or patch" 
npx snyk ignore --id="SNYK-JS-INFLIGHT-6095116" --reason="No available upgrade or patch"
npx snyk ignore --id="SNYK-JS-MICROMATCH-6838728" --reason="No available upgrade or patch"
npx snyk ignore --id="SNYK-JS-POSTCSS-5926692" --reason="No available upgrade or patch" 
npx snyk ignore --id="SNYK-JS-ANSIREGEX-1583908" --reason="Upgrading Gulp causes regression in asset compilation"

Testing instructions

  1. Install this branch on site
    • On Site's main branch, run: 
      npm install "https://github.com/uswds/uswds-compile/tree/cm-POAM-may-2024" --save
  2. Run gulp sass scripts and ensure compile runs as expected without error.
  3. Ensure no when package is used to compile site
    1. Visit demo repo
    2. Run gulp compile commands and confirm they run without error
    3. Visit site preview and confirm there are no regressions

Dependency updates

Dependency Old version New version
sass-embedded 1.74.1 1.77.0
mejiaj commented 3 months ago

@mahoneycm there's a snyk failure on this PR. Can you check it out?

mahoneycm commented 3 months ago

@mejiaj Snyk errors were coming from Gulp. I was able to successfully bump Gulp to it's next major version to resolve one of the high severity snyk failures. The rest were added to the snyk ignore.

I updated the PR description with additional information and created a demo branch in our site repo

mejiaj commented 3 months ago

@mahoneycm we haven't sufficiently tested this next major version, so I'd hesitate to merge.

mahoneycm commented 3 months ago

I've created a testing repo for Site and Sandbox.

Site seems to compile as expected without error but I keep running into an image / asset copy issue on sandbox that causes all of the images to be corrupted 😬

mahoneycm commented 3 months ago

Gulp regression

Upgrading to Gulp 5 caused a possible regression in our Sandbox repo when running copyAssets and copyImages compile scripts.

I've reverted Gulp back to 4.0.2. We can use #99 continue testing Gulp major version updates.