[wp-trac] [WordPress Trac] #47175: TwentyNineteen Vulnerability Due To Old Dependency Version
WordPress Trac
noreply at wordpress.org
Tue May 7 23:52:26 UTC 2019
#47175: TwentyNineteen Vulnerability Due To Old Dependency Version
--------------------------+------------------------------
Reporter: mikebronner | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Themes | Version:
Severity: normal | Resolution:
Keywords: close | Focuses:
--------------------------+------------------------------
Changes (by jeremyfelt):
* keywords: => close
* severity: major => normal
Comment:
Hi @mikebronner, thanks for the ticket!
It looks like a few of our dependencies (`postcss-cli`, `node-sass`,
`chokidar-cli`) have `node-gyp` or `node-pre-gyp` as dependencies of their
own. These in turn have older `tar` dependencies.
I'm not sure that we can/need to do anything immediately. This code is
only used as part of the theme's build tooling and is not distributedand
should be relatively low risk. I don't believe that we process any
tarballs.
Once the issue has been addressed in upstream packages, we can update the
theme's package file.
It looks like `chokidar` has updated its dependency, and that affects
`postcss-cli` and `chokidar-cli`, so it may be that `node-sass` is the
only remaining package to wait for.
The `node-sass` project has an open issue tracking this:
https://github.com/sass/node-sass/issues/2625
I'm going to propose closing this, as this is more of an upstream issue,
but happy to leave it open if others think it's helpful.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47175#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list