Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security improvement #2388

Closed
wants to merge 2 commits into from
Closed

Security improvement #2388

wants to merge 2 commits into from

Conversation

ralic
Copy link

@ralic ralic commented Oct 22, 2019

Original Pull Request :
#2386

Please reconsider this pull request again because :

1 ) All test passed .
https://travis-ci.org/SaferNodeJS/gulp
https://travis-ci.org/SaferNodeJS/gulp/builds

Security improvement reported as following
Before

added 675 packages from 696 contributors and audited 7707 packages in 65.48s
found 47 vulnerabilities (17 low, 7 moderate, 21 high, 2 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

After Fixing

added 635 packages from 822 contributors and audited 7354 packages in 41.695s
found 0 vulnerabilities

ralic and others added 2 commits October 13, 2019 04:04
@ralic
Upgrade dependencies for better security
77de0b7
@ralic
Update .travis.yml
06743ef 
For better security concerns, removed support for older versions of Node.js
@demurgos
Copy link
Member

@ralic
This is a breaking change. Even if the Node maintainers and some plugins dropped support for older Node versions, Gulp still supports them (yes, even Node 0.10).

If you want to fix these vulnerabilities, the first step is to open an issue to discuss the supported Node versions.

@ralic
Copy link
Author

ralic commented Oct 23, 2019
edited
Loading

The majority of users using gulp shall be developers. Node.js could be updated either through yum or apt on Linux or download directly from node.js website in other systems. Getting an LTS version of Node.js shall not be hard for a developer, instead, getting v0.12 node.js may take more chances for the software being developed getting hacked. I think this is why the npm audit is getting developed: to provide safety.

Perhaps, it might be to like Android System, less than 1 % would use the latest SDK. While in the opposite, Apple requests its developer to support the new SDK. It is a sad story to see google's new Android SDK is deprecated to developers.

@phated
Copy link
Member

phated commented Oct 23, 2019

No. I've already detailed this in many other issues and I'm sick of explaining it. Use the search.

@phated phated closed this Oct 23, 2019
@ralic
Copy link
Author

ralic commented Oct 24, 2019
edited
Loading

What if the lower version node.js test failure gets resolved?

I mean that I can try to fix tests for these new dependencies to be more compatible for the older Node.js versions if that's a necessary requirement upfront.

@gulpjs gulpjs locked and limited conversation to collaborators May 4, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ralic @demurgos @phated