search

wp-cli / scaffold-command

Generates code for post types, taxonomies, blocks, plugins, child themes, etc.
MIT License
165 stars 87 forks source link

npm dependencies in wp scaffold plugin #233

Open rosswintle opened 5 years ago

rosswintle commented 5 years ago

Bug Report

Describe the current, buggy behavior

Running wp scaffold plugin generates a package.json which contains:

  "devDependencies": {
    "grunt": "~0.4.5",
    "grunt-wp-i18n": "~0.5.0",
    "grunt-wp-readme-to-markdown": "~1.0.0"
  }

Running npm install on this generates this output:

added 48 packages from 51 contributors and audited 117 packages in 2.265s
found 51 vulnerabilities (10 low, 13 moderate, 28 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Pushing a plugin with these dependencies to GitHub will send you a message:

Known high severity security vulnerability detected in lodash < 4.17.13 defined in package-lock.json.
--
package-lock.json update suggested: lodash ~> 4.17.13.

The "bug" is that the plugin scaffold includes known high-severity security dependencies.

I'm not hugely familiar with the dependencies and why they might be at these versions but:

Describe how other contributors can replicate this bug

Describe what you would expect as the correct outcome

Scaffolded plugin should have dependencies with known insecurities

Let us know what environment you are running this on

OS: Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64
Shell:  /usr/local/bin/zsh
PHP binary: /Applications/MAMP/bin/php/php7.1.12/bin/php
PHP version:    7.1.12
php.ini used:   /Applications/MAMP/bin/php/php7.1.12/conf/php.ini
WP-CLI root dir:    phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir:  phar://wp-cli.phar/vendor
WP_CLI phar path:   /Users/rosswintle/projects/rosswintle/wp-content/plugins/plugin-test
WP-CLI packages dir:    /Users/rosswintle/.wp-cli/packages/
WP-CLI global config:   /Users/rosswintle/.wp-cli/config.yml
WP-CLI project config:
WP-CLI version: 2.2.0

Provide a possible solution

Someone will need to analyse the dependencies and update them to appropriate versions

schlessera commented 5 years ago

I'm not sure grunt is actually needed here anymore. The grunt-wp-i18n dependency can be replaced with the new wp i18n WP-CLI command, and I'm sure we can easily whip up a new command for turning Readme text files into Markdown...

So I'd suggest looking into getting rid of Grunt altogether for a base plugin. If you happen to need a better build system, then it should probably be assembled on-the-fly out of what Core is currently doing for Gutenberg. This way, it would keep current with Core.

ernilambar commented 5 months ago

Related https://github.com/wp-cli/scaffold-command/pull/337