Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Dependencies] [Security] Upgrade to Gulp4 #6566

Closed
wants to merge 11 commits into from

Conversation

acconrad
Copy link

@acconrad acconrad commented Sep 5, 2018

This fixes multiple bugs (#6549 #5762 #6214 ) and implements #3793 by upgrading from Gulp 3.9.1 to 4.0.0 which was released a few months ago.

The primary goal of this is to incorporate a series of vulnerability fixes (minimatch, hoek, and lodash) that were introduced within the dependencies of gulp, and as a result were patched starting in Gulp v4.

The basic upgrade flow works like this:

  1. Upgrade Gulp from 3.9.1 to 4.0.0
  2. Upgrade gulp-help to the version that specifically supports Gulp4 (1.6.1 to chmontgomery/gulp-help#gulp4)
  3. Upgrade additional dependencies that fix additional audit issues (gulp-concat-css, gulp-copy, gulp-less, gulp-watch, and github)
  4. Remove run-sequence which is now deprecated and natively replaced with gulp.series
  5. Fix calc() errors that arose out of interpolated strings with the latest version of gulp-less

With those tasks complete, npm install works and completes as intended with no errors and 0 security vulnerabilities.

@y0hami
Copy link
Member

y0hami commented Sep 5, 2018

This is great this will help a bunch!

@acconrad
Copy link
Author

acconrad commented Sep 6, 2018

May be worth waiting until this is merged to fully resolve all audit issues on dependencies

@jlukic
Copy link
Member

jlukic commented Sep 17, 2018

I wasnt able to get the tasks to run with this PR. Is this a work in progress?

@acconrad
Copy link
Author

acconrad commented Sep 21, 2018

Alright gulp-copy 4 is merged I'll take another look now to make sure the tasks run

@acconrad
Copy link
Author

@jlukic Okay this is now complete. You can run npm install and gulp and all tasks will successfully complete with no errors and no security vulnerabilities.

@y0hami
Copy link
Member

y0hami commented Sep 28, 2018

@acconrad Great, I will take a look at this when I have some time!

@y0hami
Copy link
Member

y0hami commented Oct 1, 2018

@acconrad I just did some testing and it all looks good. The only problem I can find is when running gulp build-docs it will crash with TypeError [ERR_INVALID_CALLBACK]: Callback must be a function. It seems line 83 in tasks/docs/build.js is the problem because in newer versions of node the fs.writeFile function throws an error when there is no callback. If I remember correctly this was introduced in node v9.

@acconrad
Copy link
Author

acconrad commented Oct 1, 2018

Cool @hammy2899 fixed!

Copy link
Member

@y0hami y0hami left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@y0hami y0hami mentioned this pull request Oct 2, 2018
@acconrad
Copy link
Author

acconrad commented Oct 2, 2018

@hammy2899 added a commit that should get your PR to work now :)

@jlukic
Copy link
Member

jlukic commented Oct 7, 2018

All of the calc variables need to pull from their respective variables (instead of being hard-coded) otherwise they wont adjust properly with user themes.

You'd want to be able to, for example change @ribbonMargin in label and have all other variables update properly.

@jlukic
Copy link
Member

jlukic commented Oct 7, 2018

Maybe related to
less/less.js#3191
less/less.js#3223

@acconrad
Copy link
Author

acconrad commented Oct 8, 2018

Good find @jlukic I had trouble finding that resolution, all fixed now!

@jlukic
Copy link
Member

jlukic commented Oct 13, 2018

I've merged #6512 which updates calcs for compatibility with less 3.5.

Can you take a look at that and see if it can fit into your PR? A simple way to confirm is to inspect an attached menu and verify its calc(100% + (-1px * 2))

"gulp-debug": "*",
"gulp-git": "*",
"gulp-tap": "*",
"merge-stream": "*"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was in both dependencies and dev dependencies and the latest version right now is 1.0.1 anyway so you shouldn't have this in both sections, that will trigger an NPM warning

@acconrad
Copy link
Author

@jlukic okay merged in. i verified everything looked right and the build still passes when building from npm and gulp.

@acconrad
Copy link
Author

acconrad commented Oct 22, 2018

sorry about all of the bumps, this was during Github's outage this weekend and it kept telling me that no comments were going through (I even tried deleting all of them and they keep coming back), @jlukic @hammy2899 ready to merge when you are

@jlukic
Copy link
Member

jlukic commented Oct 25, 2018

I was on vacation with family in Ireland, will probably have a chance to look this weekend or next.

@acconrad
Copy link
Author

acconrad commented Nov 5, 2018

This ready to merge?

@pgobin-zz
Copy link

pgobin-zz commented Nov 11, 2018

This ready to merge?

@acconrad @jlukic ./tasks/config/npm/gulpfile.js needs to be updated to match the new gulpfile.js.

@acconrad
Copy link
Author

all set @pgobin

@pgobin-zz
Copy link

@acconrad Have you noticed file.path no longer exists in watch.js?

From watch.js:

gulp
    .watch([
      source.config,
      source.definitions   + '/**/*.less',
      source.site          + '/**/*.{overrides,variables}',
      source.themes        + '/**/*.{overrides,variables}'
    ], function(file) {

    ...

    gulp.src(file.path)
              ^
    ...

For me, gulp watch outputs an undefined exception after editing .less or an override.

If it indeed does, a solution might look something like the following:

  const cssWatcher = gulp.watch([
    source.config,
    source.definitions   + '/**/*.less',
    source.site          + '/**/*.{overrides,variables}',
    source.themes        + '/**/*.{overrides,variables}'
  ]);

  cssWatcher.on('change', (path) => {

    ...

    gulp.src(path)

    ...

For the CSS watch and the remaining watches also.

@acconrad
Copy link
Author

@pgobin it wasn't there before I started this PR and this PR doesn't touch file.path so I would recommend you fix this in a separate PR

@acconrad
Copy link
Author

Are we ready to merge this? Still would love to get this one in for my team!

@badgerwithagun
Copy link

@jlukic? @levithomason? Can this be merged? Just this and a patch release would get the library building without security warnings...

@acconrad
Copy link
Author

Pinging @jlukic and @hammy2899 ... this has been ready for 2 months and could have positive security impacts for lots of folks :)

@y0hami
Copy link
Member

y0hami commented Jan 29, 2019

@acconrad You will have to wait for @jlukic to merge this.

If you haven't noticed all PR's are currently stale...

badgerwithagun added a commit to badgerwithagun/Semantic-UI that referenced this pull request Jan 29, 2019
"gulp-clone": "^2.0.1",
"gulp-concat": "^2.6.1",
"gulp-concat-css": "^3.1.0",
"gulp-copy": "4.0.1",
"gulp-dedupe": "0.0.2",
"gulp-flatten": "^0.4.0",
"gulp-header": "^2.0.5",
"gulp-help": "^1.6.1",
"gulp-help": "github:chmontgomery/gulp-help#gulp4",

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm just reviewing these changes to merge into my own fork and saw this. Given that this PR is intended to solve security warnings, I don't think we can trust adding a dependency on a floating github branch. It could be modified at any time, making builds unrepeatable and adding an attack vector.

Is there no published version that can be used?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is never going to be a gulp4 release of gulp-help chmontgomery/gulp-help#31 (comment)

Copy link

@badgerwithagun badgerwithagun Jan 29, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about referencing the commit hash of the HEAD of that branch?

This should work (never tried it though):

github:chmontgomery/gulp-help#194e80e0545ff6af5d10eeba7e224d0da71eb8d3

Not sure the github dependency is needed either. This is standard:

git@github.com:github:chmontgomery/gulp-help.git#194e80e0545ff6af5d10eeba7e224d0da71eb8d3

E2A: yup

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@badgerwithagun You could also check out the Fomantic-UI fork at https://github.com/fomantic/Fomantic-UI . We already have updated to gulp 4 and gulp-help will be removed with the next release

"wrench-sui": "^0.0.3",
"yamljs": "^0.3.0"
},
"devDependencies": {
"github": "*",
"github": "^14.0.0",

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See above. Not certain that this is needed.

@maxhq
Copy link

maxhq commented Aug 30, 2019

Is there anything that stops this PR from being merged? Any help needed?

@y0hami
Copy link
Member

y0hami commented Aug 30, 2019

@maxhq Give https://github.com/fomantic/Fomantic-UI a try it has gulp4 support and is activity maintained

@acconrad
Copy link
Author

ping

@y0hami
Copy link
Member

y0hami commented Oct 29, 2019

@acconrad This will most likely never be merged, its over 1 year now since last release of SUI (https://github.com/Semantic-Org/Semantic-UI/releases)

I would recommend anyone looking at this to take a look at Fomantic-UI the official community fork which has gulp4 support.

@acconrad acconrad closed this Oct 29, 2019
@vsubbotskyy
Copy link

vsubbotskyy commented Oct 29, 2019

Upgraded yesterday to Fomantic, supersmooth, no issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants