Skip to content

Update vulnerable NPM dependencies with auto-fixable version updates #10674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task
techanvil opened this issue Apr 24, 2025 · 0 comments
Open
1 task

Update vulnerable NPM dependencies with auto-fixable version updates #10674

techanvil opened this issue Apr 24, 2025 · 0 comments
Labels
Next Up Issues to prioritize for definition P0 High priority Type: Infrastructure Engineering infrastructure & tooling

Comments

@techanvil
Copy link
Collaborator

techanvil commented Apr 24, 2025
edited
Loading

Update vulnerable NPM dependencies with auto-fixable version updates

Feature Description

We have a fairly large number of NPM dependencies which are flagged as vulnerable by NPM, as can be seen when running npm ci. The vulnerable package count is 149 at the time of writing:

Image

We should update these to non-vulnerable versions where possible. This will need to be done over the course of multiple issues; this one can address those packages which can be updated automatically, with more complicated updates addressed in one or more subsequent issues.

This issue should be tackled once #5862 has been implemented, as a test run of npm audit fix shows that a number of the packages need Puppeteer to be updated in order to unblock their fixes.

Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance criteria

  • Vulnerable NPM dependencies idenfitied via npm audit which can be auto-fixed should be updated to their non-vulnerable versions.
  • There should be no functional changes to the Site Kit plugin and infrastructure.

Implementation Brief

  • Run npm audit fix --workspaces in the repo root.

Test Coverage

  • Fix any failing tests; hopefully all tests will continue to pass without modification.

QA Brief

Changelog entry
@techanvil techanvil mentioned this issue Apr 24, 2025
Open
1 task
@techanvil techanvil added P1 Medium priority Type: Infrastructure Engineering infrastructure & tooling P0 High priority and removed P1 Medium priority labels Apr 24, 2025
@techanvil techanvil assigned techanvil and unassigned techanvil Apr 28, 2025
@binnieshah binnieshah added the Next Up Issues to prioritize for definition label May 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Next Up Issues to prioritize for definition P0 High priority Type: Infrastructure Engineering infrastructure & tooling
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@techanvil @binnieshah