webauthn.me icon indicating copy to clipboard operation
webauthn.me copied to clipboard
verified publisher icon auth0

fix: upgrade grunt-contrib-pug to eliminate deprecated core-js dependency

Open harekrishnarai opened this issue 7 months ago • 1 comments

Description

This PR resolves a security vulnerability (SEC-3570) by eliminating the deprecated [email protected] dependency from the project's dependency tree.

Background: The project was using [email protected] which had a transitive dependency on deprecated [email protected] through the following chain:

[email protected][email protected][email protected][email protected][email protected][email protected]

Security Impact:

  • core-js@<3.23.3 is no longer maintained and not recommended for usage
  • Could cause performance degradation up to 100x due to V8 engine feature detection issues
  • Has known web compatibility issues in some versions

Solution: Upgraded grunt-contrib-pug from 1.0.0 to 3.0.0, which uses modern [email protected] and eliminates the entire deprecated dependency chain.

Implementation Details:

  • No breaking changes: The upgrade is backward compatible
  • No API changes: All existing Pug template functionality remains unchanged
  • Modern dependencies: Now uses actively maintained packages
  • Zero impact: Build process, webpack compilation, and site functionality remain intact

References

  • Security Issue: SEC-3570 - Deprecated core-js dependency vulnerability
  • Priority Score: 210 (Medium Severity)
  • Source: socket.dev vulnerability scan
  • JIRA Ticket: https://auth0team.atlassian.net/browse/SEC-3570

Testing

Security Verification:

# Verify no deprecated packages
npm ls | grep -i deprecated
# Result: (empty) ✅

# Verify no [email protected] in dependency tree  
npm ls core-js
# Result: (empty) ✅

# Security audit shows zero vulnerabilities
npm audit --only=prod
# Result: found 0 vulnerabilities ✅

# Verify grunt-contrib-pug version
npm ls grunt-contrib-pug
# Result: [email protected]

Functionality Testing:

# Build process works correctly
npm run build
# Result: ✅ Successful compilation

# Webpack builds complete without errors
# Result: ✅ All 6 entry points compiled successfully

# Pug template processing unchanged
# Result: ✅ All .pug files compiled to HTML correctly

Environment:

  • Node.js: v20.19.0
  • npm: 10.8.2
  • Dependencies: No breaking changes, all existing functionality preserved

Manual Testing:

  • Website loads and functions correctly

  • All WebAuthn functionality works as expected

  • Build artifacts are identical in structure and functionality

  • No UI changes or regressions observed

  • [x] This change adds test coverage for new/changed/fixed functionality

Checklist

  • [x] I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • [x] All active GitHub checks for tests, formatting, and security are passing
  • [x] The correct base branch is being used, if not master

harekrishnarai avatar Jun 20 '25 20:06 harekrishnarai