npm audit fixes

[mikeplem]

the version of @bubblegroup/glob-watcher needed to be bumped to fix the vulnerabilities found in this code

[alessbelli]

slight risk of braking changes to gulp-cli but low risk

[mikeplem]

slight risk of braking changes to gulp-cli but low risk

@alessbelli is there a way i can test that?

[alessbelli]

slight risk of braking changes to gulp-cli but low risk

@alessbelli is there a way i can test that?

hard to tell, really depends on how gulp works, but I assume if the main functionality (building bubble files) works after the change, I think we're good

[mikeplem]

slight risk of braking changes to gulp-cli but low risk

@alessbelli is there a way i can test that?

hard to tell, really depends on how gulp works, but I assume if the main functionality (building bubble files) works after the change, I think we're good

thanks. i will do that testing tomorrow to verify.

[mikeplem]

slight risk of braking changes to gulp-cli but low risk

@alessbelli is there a way i can test that?

hard to tell, really depends on how gulp works, but I assume if the main functionality (building bubble files) works after the change, I think we're good

thanks. i will do that testing tomorrow to verify.

I think i have been able to test successfully. I had to do the following but npm run watch and npm run local did not fail.

The bubble repo depends on the gulp and gulp-changed repos but neither have been published yet so to test the local npm audit fixes i did this.

in the gulp-changed repo

BEFORE

"devDependencies": {
  "@bubblegroup/gulp": "^4.0.4"

AFTER

"devDependencies": {
  "@bubblegroup/gulp": "file:.../gulp"

I then ran npm i to ensure the local libraries were installed

in the bubble repo I did this

BEFORE

"dependencies": {
  "@bubblegroup/gulp-changed": "^4.0.4"
  "gulp": "github:bubblegroup/gulp#v4.0.4"

AFTER

"dependencies": {
  "@bubblegroup/gulp-changed": "file:../gulp-changed",
  "gulp": "file:../gulp"

I then ran npm i and then npm run watch and npm run local. I did not see any errors. I was able to login to my local bubble.

I think this is enough but can you verify?

[alessbelli]

npm link / unlink is easier locally in order to link packages together, but I suppose what you did works

[mikeplem]

npm link / unlink is easier locally in order to link packages together, but I suppose what you did works

i started down that path but then went too far in trying to start from a clean slate and was constantly breaking my builds. i will do the npm link again

I also remember why I stopped doing the npm link. is that npm audit does not appear to honor the symlink

This was in gulp-changes

$ npm link ../gulp

removed 300 packages, changed 1 package, and audited 644 packages in 6s

191 packages are looking for funding
  run `npm fund` for details

5 vulnerabilities (3 moderate, 2 high)

$ npm audit
13 vulnerabilities (1 low, 9 moderate, 3 high)

When doing the original change where i point to the local path the npm audit does show lower number of audit vulnerabilities

[mikeplem]

I am going to merge this PR and publish the new version since the changes appear to be working successfully and the audit is showing no problems.