scaffold-command
scaffold-command copied to clipboard
npm dependencies in wp scaffold plugin
Bug Report
Describe the current, buggy behavior
Running wp scaffold plugin
generates a package.json
which contains:
"devDependencies": {
"grunt": "~0.4.5",
"grunt-wp-i18n": "~0.5.0",
"grunt-wp-readme-to-markdown": "~1.0.0"
}
Running npm install
on this generates this output:
added 48 packages from 51 contributors and audited 117 packages in 2.265s
found 51 vulnerabilities (10 low, 13 moderate, 28 high)
run `npm audit fix` to fix them, or `npm audit` for details
Pushing a plugin with these dependencies to GitHub will send you a message:
Known high severity security vulnerability detected in lodash < 4.17.13 defined in package-lock.json.
--
package-lock.json update suggested: lodash ~> 4.17.13.
The "bug" is that the plugin scaffold includes known high-severity security dependencies.
I'm not hugely familiar with the dependencies and why they might be at these versions but:
- Grunt's stable version is 1.0.3
- grunt-wp-i18n is at 1.0.3
- grunt-wp-readme-to-markdown is at 2.0.1
Describe how other contributors can replicate this bug
- run
wp scaffold plugin
- run
npm install
- (optional) run
npm audit
Describe what you would expect as the correct outcome
Scaffolded plugin should have dependencies with known insecurities
Let us know what environment you are running this on
OS: Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64
Shell: /usr/local/bin/zsh
PHP binary: /Applications/MAMP/bin/php/php7.1.12/bin/php
PHP version: 7.1.12
php.ini used: /Applications/MAMP/bin/php/php7.1.12/conf/php.ini
WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir: phar://wp-cli.phar/vendor
WP_CLI phar path: /Users/rosswintle/projects/rosswintle/wp-content/plugins/plugin-test
WP-CLI packages dir: /Users/rosswintle/.wp-cli/packages/
WP-CLI global config: /Users/rosswintle/.wp-cli/config.yml
WP-CLI project config:
WP-CLI version: 2.2.0
Provide a possible solution
Someone will need to analyse the dependencies and update them to appropriate versions
I'm not sure grunt is actually needed here anymore. The grunt-wp-i18n
dependency can be replaced with the new wp i18n
WP-CLI command, and I'm sure we can easily whip up a new command for turning Readme text files into Markdown...
So I'd suggest looking into getting rid of Grunt altogether for a base plugin. If you happen to need a better build system, then it should probably be assembled on-the-fly out of what Core is currently doing for Gutenberg. This way, it would keep current with Core.