Skip to content

chore: Forced an update for babel packages for security vulnerability #2098

Merged
colinmurphy merged 10 commits intocanaryfrom
chore-update-babel-packages-for-dependencies
Apr 4, 2025
Merged

chore: Forced an update for babel packages for security vulnerability #2098
colinmurphy merged 10 commits intocanaryfrom
chore-update-babel-packages-for-dependencies

Conversation

@colinmurphy
Copy link
Member

@colinmurphy colinmurphy commented Apr 4, 2025
edited
Loading

Tasks

  • I have signed a Contributor License Agreement (CLA) with WP Engine.
  • If a code change, I have written testing instructions that the whole team & outside contributors can understand.
  • I have written and included a comprehensive changeset to properly document the changes I've made.

Description

Currently a lot of packages in Faust have hard dependencies on babel/runtime 7.,25.7.

We need to update to min version 7.26.10 to fix a moderate security issue - GHSA-968p-4wvh-cqc8

Related Issue(s):

Testing

Screenshots

See screenshot from running npm audit after applying the resolution

Screenshot 2025-04-04 at 17 21 12

Documentation Changes

Dependant PRs

@changeset-bot
Copy link

changeset-bot bot commented Apr 4, 2025
edited
Loading

🦋 Changeset detected

Latest commit: ea43f15

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
@faustwp/blocks Patch
@faustwp/cli Patch
@faustwp/block-editor-utils Patch
@faustwp/core Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@colinmurphy colinmurphy marked this pull request as ready for review April 4, 2025 16:29
@colinmurphy colinmurphy requested a review from a team as a code owner April 4, 2025 16:29
@colinmurphy colinmurphy marked this pull request as draft April 4, 2025 16:43
@colinmurphy
Copy link
Member Author

colinmurphy commented Apr 4, 2025

@moonmeister @wpengine/headless-open-source

Sorry tested again locally and still some issues so I need to fix these first. I will let you know once I fix these issues

@github-actions
Copy link
Contributor

github-actions bot commented Apr 4, 2025
edited
Loading

📦 Next.js Bundle Analysis for @faustwp/getting-started-example

This analysis was generated by the Next.js Bundle Analysis action. 🤖

🎉 Global Bundle Size Decreased

Page Size (compressed)
global 260.27 KB (🟢 -85 B)
Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

@colinmurphy
Forcing an update for babel/runtime
e8a33d7
@colinmurphy
Removed as we are forcing updates from root.
ec80883
@colinmurphy
Fixed package-lock.json
2bad444 
Noting you need to run `npm install` after you run `npm npm-force-resolutions` to apply thopse changes to the lock file.
@colinmurphy
Fixed some issues with faustwp/core CHANGELOG not being formatted cor…
5b7fcdb 
…rectly.

Might be some legacy issue.
@colinmurphy
Copy link
Member Author

colinmurphy commented Apr 4, 2025

For anyone who needs to update those babel packages as a temporary fix.

  1. npm ci
  2. Add
"resolutions": {
  	"@babel/runtime": "7.27.0"
	}
  1. Run npx npm-force-resolutions
  2. Run npm install to apply those changes
  3. Verify by running npm ci

@colinmurphy colinmurphy marked this pull request as ready for review April 4, 2025 17:38
@colinmurphy colinmurphy merged commit 709fe4a into canary Apr 4, 2025
18 checks passed
@colinmurphy colinmurphy deleted the chore-update-babel-packages-for-dependencies branch April 4, 2025 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moonmeister moonmeister moonmeister approved these changes

@theodesp theodesp Awaiting requested review from theodesp

@josephfusco josephfusco Awaiting requested review from josephfusco

@ahuseyn ahuseyn Awaiting requested review from ahuseyn

@whoami-pwd whoami-pwd Awaiting requested review from whoami-pwd

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@colinmurphy @moonmeister