[wp-trac] [WordPress Trac] #47175: Twenty Nineteen: Vulnerability Due To Old Dependency Version

WordPress Trac noreply at wordpress.org
Thu Jun 13 20:21:45 UTC 2019


#47175: Twenty Nineteen: Vulnerability Due To Old Dependency Version
-----------------------------------+------------------------------
 Reporter:  mikebronner            |       Owner:  (none)
     Type:  defect (bug)           |      Status:  new
 Priority:  normal                 |   Milestone:  Awaiting Review
Component:  Bundled Theme          |     Version:
 Severity:  normal                 |  Resolution:
 Keywords:  2nd-opinion has-patch  |     Focuses:
-----------------------------------+------------------------------
Changes (by desrosj):

 * keywords:  close => 2nd-opinion has-patch


Comment:

 While I agree with @jeremyfelt's assessment that this is not going to
 affect any distributed version of the theme, it does seem that all the
 packages have been updated upstream.

 [attachment:"47175.diff"] is the result of running `npm audit fix`. The
 result is `postcss-cli` and `chokidar-cli` being upgraded. The problem
 dependency for `node-sass` worked itself out in the process due to the way
 the version ranges were defined.

 I also added `src/wp-content/themes/twentynineteen/node_modules` directory
 to the ignore list in [attachment:"47175.diff"].

 After the upgrade, running `npm run-script build` results in no changes to
 any theme files.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/47175#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list