[TASK] Update vulnerable build dependencies (0787c222) · Commits · TYPO3 / TYPO3.CMS

Commit 0787c222 authored 2 years ago by
Benjamin Franzke
[TASK] Update vulnerable build dependencies

Update (most) vulnerable dependencies/packages found by
`npm audit fix --force --dry-run`.

Notes redarding package changes:

 * The outdated grunt-postcss plugin is replaced by a (maintained)
   fork for compatibility with newer grunt versions.

 * karma is updated to v6 and pulls in @types/node which conflicts with
   TypeScript type definitions by @types/requirejs. Therefore 3rd party
   type declarations from packages (@types/*) are now explicitly
   enabled in tsconfig.json – note that there is no other way to exclude
   from typeRoots:
   https://github.com/microsoft/TypeScript/issues/18588

 * grunt-lintspaces and grunt-contrib-imagemin are replaced
   as these packages have been not been updated to not depend
   on vulnerabe dependencies, while grunt-lintspaces and
   grunt-contrib-imagemin would cause downgrades to older
   version when running `npm audit fix --force` (because only
   the older versions do not depend on vulnerable software).

 * (grunt-contrib-)imagemin is replaced by squoosh (by google) as
   a) imagemin dependencies ("bin-build" > "download") rely on vulnerable
      versions of "got".
      Neither of these packages is currently updated,see
      https://github.com/kevva/download/issues/224
   b) imagemin is unmaintained:
      https://github.com/imagemin/imagemin/issues/385
      and suggests squoosh as replacement

 * stylefmt is replaced by a maintained fork.

There is one remaining packages that pulls in a vulnerability alerts:

  * jquery-ui is marked as vulnerable (severity: high), but worked on
    in a separate patch #96497.
    (We don't actually use the vulnerable library parts though).

Vulnerability report before this patch:

    74 vulnerabilities (1 low, 30 moderate, 38 high, 5 critical)

Vulnerability report after this patch:

    1 high severity vulnerability
    (this is jquery-ui)

Commands executed:

  # Supposed to be non breaking, but broke grunt-css
  npm audit fix
  npm remove grunt-postcss
  npm install @lodder/grunt-postcss

  # Preparation for `npm audit fix --force` (breaking changes)
  npm install grunt@^1.5
  npm install grunt-lintspaces@^0.10.0
  npm remove grunt-lintspaces
  npm install --save-dev lintspaces-cli
  npm remove grunt-contrib-imagemin
  npm install --save-dev
  npm remove stylefmt
  npm install --save-dev @ronilaukkarinen/stylefmt
  npm audit fix --force

Releases: main
Resolves: #98198
Change-Id: I09df87fe131a499790e6c5f95f1c51e9216b71c2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75539


Tested-by: core-ci <typo3@b13.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
parent e07a54ad
Branches