@wordpress/scripts vulnerability | ww.wp.xz.cn

Resolved KJ Roelke
(@kjroelke)

1 year, 10 months ago
Hi!

This is a continuation of a previous support topic because it has been marked “Closed to replies” but the issue still persists.

I’ve been running @wordpress/scripts v27.9.0 for a while (had to wait until WP 6.6 was released to update because of the missing jsx-runtime-react dependency. At that version, terminal responds with “5 high severity issues” that appear to stemming from ws,puppeteer-core, lighthouse, and @wordpress/e2e-test-utils-playwright peer dependencies. I had hoped/assumed this would be fixed in @wordpress/scripts v28, but it has not.

What I’ve tried:
- Running npm audit fix --force downgrades @wordpress/scripts to v19.2.4, unsurprisingly causing 47 vulnerabilities.
- Upgrading to 28.0, .1, and .2 individually did not resolve the issues.
I’m happy to break apart the package and do things myself, but I’m not familiar enough with webpack, prettier and eslint to recreate the core of what my team needs (start/build commands that “just work” and config files).

Viewing 3 replies - 1 through 3 (of 3 total)

Moderator threadi
(@threadi)

1 year, 10 months ago

I would recommend you contact the Gutenberg team here with your request: https://github.com/WordPress/gutenberg/issues

If you consider the problem to be security-critical, please go here: https://make.ww.wp.xz.cn/core/handbook/testing/reporting-security-vulnerabilities/
Thread Starter KJ Roelke
(@kjroelke)

1 year, 10 months ago
Thanks! I’ve submitted an issue here.

I’m not familiar enough with with the packages or @wordpress/e2e-tests-utils-playwright to say if it’s security critical, but for new(ish) devs, it’s not awesome having these errors thrown in your command line (or being notified via GitHub Dependabot).

For now, the only workaround I’ve found is to use the overrides parameter in the package.json file as so:
```
"overrides": {
  "ws": "^8.18.0",
  "lighthouse": "^12.1.0",
  "puppeteer-core": "^22.13.1"
}
```
ingenieroleon
(@ingenieroleon)

1 year, 6 months ago

KJ you are the best, the workaround is working like a charm.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘@wordpress/scripts vulnerability’ is closed to new replies.

Tags

node

In: Developing with WordPress
4 replies
3 participants
Last reply from: ingenieroleon
Last activity: 1 year, 6 months ago
Status: resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics