Security fix. Upgrade to gulp 4.0.0 #10
Conversation
|
@isholgueras does this also resolve the upstream security issue identified a few months ago on #3 ? |
There was a problem hiding this comment.
I'm fine with updating gulp here, but wonder what kind of effects this is going to have on all projects that use this. Will they also need to update gulp? or just update gulp-frontend-tasks? I'm not sure what the upgrade process is for projects that use this framework. I think you could look at the obermeyer theme to figure out.
|
The process is to upgrade gulp for this project. If this project is part of the client project, we should update the client project as well, but imo, if we use this just for compile sass to scss files, uglify js and so forth, we're fine. The security issue comes if you're using this library to get requests from internet as a application server |
|
And yes @jameswilson , this PR fixes all the security issues (high, mid, low) this project have. I followed the official documentation and this post: |
|
Thanks! Merged. |
The security issue is with gulp 3.9.1 and the fix is to upgrade to gulp 4.0.0
Following the official documentation and this post, I've upgraded this to gulp 4.0.0.
It's important to point out that things like:
gulp.task('default', ['a', 'b'], function() { /*code*/ });become
gulp.task('default', gulp.series('a', 'b', function() { /*code*/ }));and also, tasks must be defined before being called. You must define tasks like
sass,sass:lint,... before calling it. Otherwise you will get this error:AssertionError [ERR_ASSERTION]: Task never defined: sass:lintI didn't see anything in the README.md to indicate how to upgrade, from 3.9.1 to 4.0.0 so I didn't added anything there.