scaffold-command icon indicating copy to clipboard operation
scaffold-command copied to clipboard

Published 20 hours ago verified publisher icon wp-cli

npm dependencies in wp scaffold plugin

Open rosswintle opened this issue 4 years ago • 2 comments

Bug Report

Describe the current, buggy behavior

Running wp scaffold plugin generates a package.json which contains:

  "devDependencies": {
    "grunt": "~0.4.5",
    "grunt-wp-i18n": "~0.5.0",
    "grunt-wp-readme-to-markdown": "~1.0.0"
  }

Running npm install on this generates this output:

added 48 packages from 51 contributors and audited 117 packages in 2.265s
found 51 vulnerabilities (10 low, 13 moderate, 28 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Pushing a plugin with these dependencies to GitHub will send you a message:

Known high severity security vulnerability detected in lodash < 4.17.13 defined in package-lock.json.
--
package-lock.json update suggested: lodash ~> 4.17.13.

The "bug" is that the plugin scaffold includes known high-severity security dependencies.

I'm not hugely familiar with the dependencies and why they might be at these versions but:

  • Grunt's stable version is 1.0.3
  • grunt-wp-i18n is at 1.0.3
  • grunt-wp-readme-to-markdown is at 2.0.1

Describe how other contributors can replicate this bug

  • run wp scaffold plugin
  • run npm install
  • (optional) run npm audit

Describe what you would expect as the correct outcome

Scaffolded plugin should have dependencies with known insecurities

Let us know what environment you are running this on

OS:	Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64
Shell:	/usr/local/bin/zsh
PHP binary:	/Applications/MAMP/bin/php/php7.1.12/bin/php
PHP version:	7.1.12
php.ini used:	/Applications/MAMP/bin/php/php7.1.12/conf/php.ini
WP-CLI root dir:	phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir:	phar://wp-cli.phar/vendor
WP_CLI phar path:	/Users/rosswintle/projects/rosswintle/wp-content/plugins/plugin-test
WP-CLI packages dir:	/Users/rosswintle/.wp-cli/packages/
WP-CLI global config:	/Users/rosswintle/.wp-cli/config.yml
WP-CLI project config:
WP-CLI version:	2.2.0

Provide a possible solution

Someone will need to analyse the dependencies and update them to appropriate versions

rosswintle avatar Aug 01 '19 21:08 rosswintle

I'm not sure grunt is actually needed here anymore. The grunt-wp-i18n dependency can be replaced with the new wp i18n WP-CLI command, and I'm sure we can easily whip up a new command for turning Readme text files into Markdown...

So I'd suggest looking into getting rid of Grunt altogether for a base plugin. If you happen to need a better build system, then it should probably be assembled on-the-fly out of what Core is currently doing for Gutenberg. This way, it would keep current with Core.

schlessera avatar Aug 06 '19 11:08 schlessera