Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scripts: Update puppeteer-core dependency #64597

Merged
merged 9 commits into from
Sep 4, 2024
Merged

Scripts: Update puppeteer-core dependency #64597

merged 9 commits into from
Sep 4, 2024

Conversation

jacobcassidy
Copy link
Contributor

@jacobcassidy jacobcassidy commented Aug 17, 2024
edited
Loading

What?

Upgrades the puppeteer-core package to the latest version (23.1.0).

Why?

This PR fixes the issue with @wordpress/scripts having five high-severity vulnerabilities introduced with an older version of the puppeteer-core package.

See: #63771

How?

Removes the sub-dependencies versions with vulnerabilities.

Testing Instructions

  1. In a WP theme development environment, run npm install @wordpress/scripts path webpack-remove-empty-scripts --save-dev
  2. Run npm audit and you'll see a warning for 5 high-severity vulnerabilities.
  3. Add the following to your package.json file: 
    "overrides": {
    "puppeteer-core": "^23.1.0"
}
  4. Run npm install to update the packages.
  5. The vulnerabilities are now removed.

@jacobcassidy
Fix the issue with @wordpress/scripts having 5 high severity vulner…
af26f62 
…abilities by upgrading the `puppeteer-core` package to the latest version (23.1.0)
@jacobcassidy
Update scripts package version to 28.6.0
7373486
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 17, 2024
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: jacobcassidy <[email protected]>
Co-authored-by: gziolo <[email protected]>
Co-authored-by: Mamaduka <[email protected]>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions github-actions bot added the First-time Contributor Pull request opened by a first-time contributor to Gutenberg repository label Aug 17, 2024
@github-actions GitHub Actions
Copy link

👋 Thanks for your first Pull Request and for helping build the future of Gutenberg and WordPress, @jacobcassidy! In case you missed it, we'd love to have you join us in our Slack community.

If you want to learn more about WordPress development in general, check out the Core Handbook full of helpful information.

@jacobcassidy jacobcassidy changed the title Wp scripts fix WP-Scripts fix Aug 17, 2024
@shail-mehta shail-mehta added the [Tool] WP Scripts /packages/scripts label Aug 18, 2024
gziolo
gziolo reviewed Aug 20, 2024
View reviewed changes
Copy link
Member

@gziolo gziolo left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for opening this issue. There are some details to polish related to the packages release process. I also see some CI issues reported that need to be further investigated. It looks like the changes to the package-lock.json will require some tweaks to make it work with the monorepo.

@Mamaduka and @swissspidy – do we still use Puppeteer for e2e tests in any place in Gutenebrg or WordPress core? What's the plan with the scripts powered by Puppeteer? How can we test these changes?

packages/scripts/package.json Outdated Show resolved Hide resolved
packages/scripts/CHANGELOG.md Outdated Show resolved Hide resolved
@Mamaduka
Copy link
Member

@gziolo, we do not, but it needs to be removed in a backward-compatible manner. See #60357.

@Mamaduka Mamaduka changed the title WP-Scripts fix Scripts: Update dependencies Aug 20, 2024
gziolo
gziolo approved these changes Aug 30, 2024
View reviewed changes
Copy link
Member

@gziolo gziolo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the follow-up commits. It's good to go.

@gziolo gziolo changed the title Scripts: Update dependencies Scripts: Update puppeteer-core dependency Aug 30, 2024
@gziolo gziolo enabled auto-merge (squash) August 30, 2024 06:34
@gziolo gziolo disabled auto-merge August 30, 2024 06:35
@jacobcassidy
Copy link
Contributor Author

@gziolo Thanks for the instructions and follow-up.

@gziolo gziolo added the [Type] Breaking Change For PRs that introduce a change that will break existing functionality label Aug 30, 2024
@gziolo gziolo enabled auto-merge (squash) August 30, 2024 06:37
@gziolo
Copy link
Member

gziolo commented Aug 30, 2024

It looks like ESLint detected that puppeteer-core doesn't get installed in the top node_modules folder. To fix it, we would have to put puppeteer-core as a dev dependency in the main package.json file. Remove all changes added in this branch to the main package-lock.json file. Run npm install, and it should all be good.

@gziolo gziolo disabled auto-merge August 30, 2024 07:17
@gziolo gziolo enabled auto-merge (squash) September 4, 2024 10:59
@gziolo gziolo merged commit 6accdd3 into WordPress:trunk Sep 4, 2024
59 checks passed
@github-actions github-actions bot added this to the Gutenberg 19.2 milestone Sep 4, 2024
@acicovic acicovic mentioned this pull request Sep 17, 2024
Closed
@jacobcassidy jacobcassidy mentioned this pull request Sep 19, 2024
Closed
@kjroelke kjroelke mentioned this pull request Nov 27, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gziolo gziolo gziolo approved these changes

@ntwb ntwb Awaiting requested review from ntwb ntwb is a code owner

@nerrad nerrad Awaiting requested review from nerrad nerrad is a code owner

@ajitbohra ajitbohra Awaiting requested review from ajitbohra ajitbohra is a code owner

@ryanwelcher ryanwelcher Awaiting requested review from ryanwelcher ryanwelcher is a code owner

Assignees
No one assigned
Labels
First-time Contributor Pull request opened by a first-time contributor to Gutenberg repository [Tool] WP Scripts /packages/scripts [Type] Breaking Change For PRs that introduce a change that will break existing functionality
Projects
None yet
Milestone
Gutenberg 19.2
Development

Successfully merging this pull request may close these issues.
4 participants
@jacobcassidy @Mamaduka @gziolo @shail-mehta