[Snyk] Security upgrade gulp from 4.0.2 to 5.0.0#602
[Snyk] Security upgrade gulp from 4.0.2 to 5.0.0#602robertatakenaka wants to merge 1 commit intomasterfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15032660 - https://snyk.io/vuln/SNYK-JS-TAR-15127355
There was a problem hiding this comment.
Pull request overview
This PR upgrades gulp from version 4.0.2 to 5.0.0 to address two medium-severity Directory Traversal vulnerabilities in the transitive tar dependency (SNYK-JS-TAR-15032660 and SNYK-JS-TAR-15127355). However, the PR has significant compatibility concerns that must be addressed before merging.
Changes:
- Upgrades gulp dependency from ^4.0.2 to ^5.0.0 in package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "bootstrap": "^3.1.1", | ||
| "gulp": "^4.0.2", | ||
| "gulp": "^5.0.0", |
There was a problem hiding this comment.
This major version upgrade from gulp 4.0.2 to 5.0.0 introduces breaking changes that may cause build failures. The gulpfile.js uses gulp-util on line 7, which is deprecated and not compatible with gulp 5.0. Additionally, gulp-minify-css (listed in dependencies) depends on gulp-util. Before merging, you should: 1) Replace gulp-util with its modern equivalents (fancy-log for logging, plugin-error for errors), 2) Update the package-lock.json as warned in the PR description, and 3) Test the build process to ensure all gulp tasks still work correctly with gulp 5.0.
| "dependencies": { | ||
| "bootstrap": "^3.1.1", | ||
| "gulp": "^4.0.2", | ||
| "gulp": "^5.0.0", |
There was a problem hiding this comment.
The package-lock.json file has not been updated as part of this PR. The PR description explicitly warns "Failed to update the package-lock.json, please update manually before merging." This file must be updated before merging to ensure the correct versions of transitive dependencies are installed, particularly the patched versions of tar that fix the Directory Traversal vulnerabilities (SNYK-JS-TAR-15032660 and SNYK-JS-TAR-15127355).
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15032660
SNYK-JS-TAR-15127355
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal