Plugin Author
wpsoul
(@wpsoul)
Hi. Please explain more. I checked your list but none of them are in dependencies in Greenshift
https://share.cleanshot.com/2Z9WK45T
where did you find such information?
Our GitHub dependabot scan identifies them as issues, while they may not be direct dependencies, they are in the dependency graph as they show up in the package-lock.json in our greenshift plugins.
-
This reply was modified 1 year, 4 months ago by
eherbstuc.
For example, “@babel/traverse”: “^7.20.1”, is in the package-lock.json for greenshiftwoo which is impacted by NVD – cve-2023-45133, these should be relatively easy to fix by just upgrading the version in the package-json, but we don’t want to have to do this ourself since we would have to redo it everytime we update a greenshift plugin.
Hi. You can see dependencies in file package.json
You will see that we do not have any dependencies on babel
However, this can be dependency in wordpress/scripts that is required for third party blocks. You can suggest to update it for gutenberg devs. More about https://developer.ww.wp.xz.cn/block-editor/reference-guides/packages/packages-scripts/
This is npm page https://www.npmjs.com/package/@wordpress/scripts
and please note that this package is not used directly for plugin, it’s using only on web packing and it’s not in use on your site at frontend
I’m well aware of what these security issues are. You are completely wrong that these are a current dependency of wordpress/scripts, they have been patched years ago by wordpress, current wordpress scripts depends on patched version of babel – you are depending on “version”: “22.5.0” of wordpress scripts (check line 4267 of the package-lock.json in greenshiftwoo) which was published 3 years ago.
https://www.npmjs.com/package/@wordpress/scripts/v/22.5.0
-
This reply was modified 1 year, 3 months ago by eherbstuc.
Please fix, so I can continue to use GreenShift (which I am a big fan of) in my organization.
Yes, we use old wp-scripts, but it’s used only in Dev dependency only for packing, it’s not included in production release and not available in plugin’s files.
Anyway, I updated wp-scripts in package file, if this helps you to feel more safe. Thank you for notice
Thank you – I know that it isn’t included in the production release, and isn’t actually causing a vulnerability in production, however it showed up on our codebase vulnerability scans, and isn’t something we want to have to explain to our enterprise clients when they request vulnerability scans of our platform.
Which tool do you for scan?
