search

uswds / uswds-compile

Simple Gulp 4 functions for copying USWDS static assets and transforming USWDS Sass into browser-readable CSS.
Other
20 stars 12 forks source link

USWDS-Compile - Feature: Support gulp 5 #99

Closed levinmr closed 2 days ago

levinmr commented 2 months ago

Is your feature request related to a problem? Please describe.

uswds-compile is causing npm audit warnings because it depends on old versions of gulp. Npm audit output follows:

# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp@5.0.0, which is a breaking change
node_modules/chokidar/node_modules/glob-parent
node_modules/glob-stream/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    glob-watcher  3.0.0 - 5.0.5
    Depends on vulnerable versions of chokidar
    node_modules/glob-watcher
      gulp  4.0.0 - 4.0.2
      Depends on vulnerable versions of glob-watcher
      Depends on vulnerable versions of vinyl-fs
      node_modules/gulp
  glob-stream  5.3.0 - 6.1.0
  Depends on vulnerable versions of glob-parent
  node_modules/glob-stream
    vinyl-fs  2.4.2 - 3.0.3
    Depends on vulnerable versions of glob-stream
    node_modules/vinyl-fs

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
No fix available
node_modules/@gulp-sourcemaps/identity-map/node_modules/postcss
  @gulp-sourcemaps/identity-map  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/@gulp-sourcemaps/identity-map
    gulp-sourcemaps  >=3.0.0
    Depends on vulnerable versions of @gulp-sourcemaps/identity-map
    node_modules/gulp-sourcemaps
      @uswds/compile  *
      Depends on vulnerable versions of gulp
      Depends on vulnerable versions of gulp-sourcemaps
      node_modules/@uswds/compile

Describe the solution you'd like

Support gulp v5

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

mahoneycm commented 1 month ago

Possible regression

I tested updating Gulp to 5.0.0 in #101. When installing the branch on our Site and Sandbox repos, I saw a possible regression in Sandbox when trying to run the copyAssets and copyImages compile scripts. The images would become corrupt and not be able to open properly. For whatever reason, this was not an issue on our Site repo.