Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security improvement #2388

Closed
wants to merge 2 commits into from

Conversation

@ralic
Copy link

ralic commented Oct 22, 2019

Original Pull Request :
#2386

Please reconsider this pull request again because :

1 ) All test passed .
https://travis-ci.org/SaferNodeJS/gulp
https://travis-ci.org/SaferNodeJS/gulp/builds

Security improvement reported as following
Before

added 675 packages from 696 contributors and audited 7707 packages in 65.48s
found 47 vulnerabilities (17 low, 7 moderate, 21 high, 2 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

After Fixing

added 635 packages from 822 contributors and audited 7354 packages in 41.695s
found 0 vulnerabilities
ralic added 2 commits Oct 12, 2019
For better security concerns, removed support for older versions of Node.js
@demurgos

This comment has been minimized.

Copy link
Member

demurgos commented Oct 23, 2019

@ralic
This is a breaking change. Even if the Node maintainers and some plugins dropped support for older Node versions, Gulp still supports them (yes, even Node 0.10).

If you want to fix these vulnerabilities, the first step is to open an issue to discuss the supported Node versions.

@ralic

This comment has been minimized.

Copy link
Author

ralic commented Oct 23, 2019

The majority of users using gulp shall be developers. Node.js could be updated either through yum or apt on Linux or download directly from node.js website in other systems. Getting an LTS version of Node.js shall not be hard for a developer, instead, getting v0.12 node.js may take more chances for the software being developed getting hacked. I think this is why the npm audit is getting developed: to provide safety.

Perhaps, it might be to like Android System, less than 1 % would use the latest SDK. While in the opposite, Apple requests its developer to support the new SDK. It is a sad story to see google's new Android SDK is deprecated to developers.

@phated

This comment has been minimized.

Copy link
Member

phated commented Oct 23, 2019

No. I've already detailed this in many other issues and I'm sick of explaining it. Use the search.

@phated phated closed this Oct 23, 2019
@ralic

This comment has been minimized.

Copy link
Author

ralic commented Oct 24, 2019

What if the lower version node.js test failure gets resolved?

I mean that I can try to fix tests for these new dependencies to be more compatible for the older Node.js versions if that's a necessary requirement upfront.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.