Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security errors and warning fixes (February 2025) #302

Open
dhawalepranav opened this issue Feb 21, 2025 · 5 comments
Open

Security errors and warning fixes (February 2025) #302

dhawalepranav opened this issue Feb 21, 2025 · 5 comments
Assignees
@Vedant-Gandhi

Comments

@dhawalepranav
Copy link

dhawalepranav commented Feb 21, 2025
edited
Loading

We need to fix all the warnings and errors mentioned in the following places:

Before starting the work please add Plan of Action along with the time estimations and get it approved by your Project Co-ordinator or Project Manager
@dhawalepranav dhawalepranav changed the title Security error and warning fixes (February 2025) Security errors and warnings fixes (February 2025) Feb 21, 2025
@dhawalepranav dhawalepranav changed the title Security errors and warnings fixes (February 2025) Security errors and warning fixes (February 2025) Feb 21, 2025
@Vedant-Gandhi
Copy link
Contributor

Hi, @dhawalepranav, Here is a plan of action along with time estimations -

Dependabot

  • Local environment setup with playwright environment (1.5 hours)
  • Update package dependencies (2 hours):
	- loader-utils
	- path-to-regexp
	- cross-spawn
	- http-proxy-middleware
	- body-parser
	- semver
	- webpack-dev-middleware
	- braces
	- nanoid
	- follow-redirects
	- express
	- postcss
	- @sideway/formula
	- xml2js
	- serialize-javascript
        - webpack 
        - Babel
  • Performing any code updates after updating the pakages.(2 hours)
  • Perform testing after updating the above dependencies (1 hour)

Codescanning

  • Understanding the GitHub Workflow (1 hour)

  • GitHub workflow updates:

    • Update PHPCS workflow to use SHA commit (1 hours)
    • Basic permissions configuration (2 hours)

  • Final testing about the workflow with updated packages. (2 hour)

Buffer Time - 2 hours

Total: 12 hours - 14 hours

@dhawalepranav
Copy link
Author

@Vedant-Gandhi Thanks for the detailed PoA. You can proceed with the Development work.

@Vedant-Gandhi
Copy link
Contributor

Vedant-Gandhi commented Feb 24, 2025
edited
Loading

Hi, @dhawalepranav Here are the packages that need to be taken action to update compatibility to Node 20.

Package Name Current Version Newer Version Is Deprecated Details
babel-eslint 10.0.1 10.1.0 No
babel-loader 7.1.1 9.2.1 No
babel-plugin-lodash 3.2.11 3.3.4 No
babel-plugin-transform-object-rest-spread 6.26.0 Already latest No
babel-plugin-transform-react-jsx 6.24.1 Already latest No
babel-plugin-transform-runtime 6.23.0 Already latest No
babel-preset-env 1.7.0 Already latest No
classnames 2.2.5 2.5.1 No
cross-env 5.0.1 7.0.3 No
diff 4.0.1 7.0.0 No
eslint 4.18.2 9.21.0 No
eslint-config-wordpress 2.0.0 2.0.0 No
eslint-plugin-jest 21.5.0 28.11.0 No
eslint-plugin-jsx-a11y 6.0.3 6.10.2 No
eslint-plugin-react 7.5.1 7.37.4 No
eslint-plugin-wordpress N/A N/A Yes We need to install @wordpress/eslint-plugin. No other changes needed
glob 7.1.2 11.0.1 No
grunt 1.0.1 1.6.1 No
grunt-autoprefixer 3.0.4 N/A Yes We need to install grunt-postcss and test it thoroughly. Modification in gruntfile.js needed.
grunt-contrib-cssmin 3.0.0 5.0.0 No
grunt-contrib-uglify 2.0.0 5.2.2 Yes We need to migrate to this - https://github.com/webpack-contrib/terser-webpack-plugin
grunt-contrib-watch 1.0.0 1.1.0 No
jest 25.5.2 29.7.0 No
load-grunt-tasks 5.1.0 5.1.0 No
serialize-javascript 2.1.2 6.0.2 No
webpack 4.41.2 5.98.0 No
webpack-cli 3.3.11 6.0.1 No
@wordpress/api-fetch 3.6.0 7.18.0 No

cc - @Pathan-Amaankhan

@Vedant-Gandhi
Copy link
Contributor

Vedant-Gandhi commented Feb 25, 2025
edited
Loading

Update -
After testing the upgrade process locally, I discovered that several additional packages needed to be upgraded since most of the babel-* packages are no longer maintained and have been moved to babel/* repository. Here is the updated package list:

Package Name Current Version Newer Version Is Deprecated Details
@babel/core N/A 7.26.9 Replaces babel-core for Babel 7
@babel/eslint-parser N/A 7.26.8 Replaces babel-eslint for Babel 7
@babel/plugin-transform-object-rest-spread N/A 7.25.9 Replaces babel-plugin-transform-object-rest-spread for Babel 7
@babel/plugin-transform-react-jsx N/A 7.25.9 Replaces babel-plugin-transform-react-jsx for Babel 7
@babel/plugin-transform-runtime N/A 7.26.9 Replaces babel-plugin-transform-runtime for Babel 7
@babel/preset-env N/A 7.26.9 Replaces babel-preset-env for Babel 7
babel-eslint 10.0.1 10.1.0 Replaced by @babel/eslint-parser
babel-loader 7.1.1 9.2.1 Major version update
babel-plugin-lodash 3.2.11 3.3.4 Minor version update
babel-plugin-transform-object-rest-spread 6.26.0 Already latest Replaced by @babel/plugin-transform-object-rest-spread
babel-plugin-transform-react-jsx 6.24.1 Already latest Replaced by @babel/plugin-transform-react-jsx
babel-plugin-transform-runtime 6.23.0 Already latest Replaced by @babel/plugin-transform-runtime
babel-preset-env 1.7.0 Already latest Replaced by @babel/preset-env
classnames 2.2.5 2.5.1 Minor version update
cross-env 5.0.1 7.0.3 Major version update
diff 4.0.1 7.0.0 Major version update
eslint 4.18.2 9.21.0 Major version update
eslint-config-wordpress 2.0.0 2.0.0 No changes required
eslint-plugin-jest 21.5.0 28.11.0 Major version update
eslint-plugin-jsx-a11y 6.0.3 6.10.2 Minor version update
eslint-plugin-react 7.5.1 7.37.4 Major version update
eslint-plugin-wordpress N/A N/A Install @wordpress/eslint-plugin. No other changes needed
glob 7.1.2 11.0.1 Major version update
grunt 1.0.1 1.6.1 Major version update
grunt-autoprefixer 3.0.4 N/A Install grunt-postcss and test thoroughly. Modification in gruntfile.js required.
grunt-contrib-cssmin 3.0.0 5.0.0 Major version update
grunt-contrib-watch 1.0.0 1.1.0 Minor version update
jest 25.5.2 29.7.0 Major version update
load-grunt-tasks 5.1.0 5.1.0 No changes required
serialize-javascript 2.1.2 6.0.2 Major version update
terser-webpack-plugin N/A 5.3.11 New package replacing uglifyjs-webpack-plugin
uglifyjs-webpack-plugin 2.0.0 2.2.0 Migrate to: https://github.com/webpack-contrib/terser-webpack-plugin
webpack 4.41.2 5.98.0 Major version update
webpack-cli 3.3.11 6.0.1 Major version update
@wordpress/api-fetch 3.6.0 7.18.0 Major version update

I have tested the changes locally, and everything is working fine.

There is only one warning that can be safely ignored for now: emitting emit'isModuleDeclaration' has been deprecated. The recommendation is to migrate to isImportOrExportDeclaration. This warning is emitted by babel-plugin-lodash, which is no longer maintained. However, it still produces valid code output and functions as intended.

cc - @dhawalepranav @Pathan-Amaankhan

@Pathan-Amaankhan
Copy link
Member

Hi @Vedant-Gandhi,
Everything looks good in the above table. Lets raise a PR with the changes mentioned in the table.

cc: @dhawalepranav

This was referenced Feb 26, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Vedant-Gandhi Vedant-Gandhi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dhawalepranav @Vedant-Gandhi @Pathan-Amaankhan