Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm dependencies in wp scaffold plugin #233

Open
rosswintle opened this issue Aug 1, 2019 · 2 comments
Open

npm dependencies in wp scaffold plugin #233

rosswintle opened this issue Aug 1, 2019 · 2 comments
Labels
command:scaffold-plugin

Comments

@rosswintle
Copy link
Contributor

rosswintle commented Aug 1, 2019
edited
Loading

Bug Report

Describe the current, buggy behavior

Running wp scaffold plugin generates a package.json which contains:

  "devDependencies": {
    "grunt": "~0.4.5",
    "grunt-wp-i18n": "~0.5.0",
    "grunt-wp-readme-to-markdown": "~1.0.0"
  }

Running npm install on this generates this output:

added 48 packages from 51 contributors and audited 117 packages in 2.265s
found 51 vulnerabilities (10 low, 13 moderate, 28 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Pushing a plugin with these dependencies to GitHub will send you a message:

Known high severity security vulnerability detected in lodash < 4.17.13 defined in package-lock.json.
--
package-lock.json update suggested: lodash ~> 4.17.13.

The "bug" is that the plugin scaffold includes known high-severity security dependencies.

I'm not hugely familiar with the dependencies and why they might be at these versions but:

  • Grunt's stable version is 1.0.3
  • grunt-wp-i18n is at 1.0.3
  • grunt-wp-readme-to-markdown is at 2.0.1

Describe how other contributors can replicate this bug

  • run wp scaffold plugin
  • run npm install
  • (optional) run npm audit

Describe what you would expect as the correct outcome

Scaffolded plugin should have dependencies with known insecurities

Let us know what environment you are running this on

OS:	Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64
Shell:	/usr/local/bin/zsh
PHP binary:	/Applications/MAMP/bin/php/php7.1.12/bin/php
PHP version:	7.1.12
php.ini used:	/Applications/MAMP/bin/php/php7.1.12/conf/php.ini
WP-CLI root dir:	phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir:	phar://wp-cli.phar/vendor
WP_CLI phar path:	/Users/rosswintle/projects/rosswintle/wp-content/plugins/plugin-test
WP-CLI packages dir:	/Users/rosswintle/.wp-cli/packages/
WP-CLI global config:	/Users/rosswintle/.wp-cli/config.yml
WP-CLI project config:
WP-CLI version:	2.2.0

Provide a possible solution

Someone will need to analyse the dependencies and update them to appropriate versions
@schlessera
Copy link
Member

I'm not sure grunt is actually needed here anymore. The grunt-wp-i18n dependency can be replaced with the new wp i18n WP-CLI command, and I'm sure we can easily whip up a new command for turning Readme text files into Markdown...

So I'd suggest looking into getting rid of Grunt altogether for a base plugin. If you happen to need a better build system, then it should probably be assembled on-the-fly out of what Core is currently doing for Gutenberg. This way, it would keep current with Core.

@schlessera schlessera mentioned this issue Aug 6, 2019
Merged
@TimothyBJacobs TimothyBJacobs mentioned this issue Sep 13, 2019
Open
@ernilambar
Copy link
Member

Related #337

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
command:scaffold-plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schlessera @rosswintle @ernilambar