[wp-trac] [WordPress Trac] #56452: Deprecated NPM + update jQuery 3.6.1

WordPress Trac noreply at wordpress.org
Sun Aug 28 09:59:32 UTC 2022 

#56452: Deprecated NPM + update jQuery 3.6.1
--------------------------------+-----------------------------
 Reporter:  malthert            |      Owner:  (none)
     Type:  defect (bug)        |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  External Libraries  |    Version:
 Severity:  critical            |   Keywords:
  Focuses:  javascript          |
--------------------------------+-----------------------------
 Variety of issues I think make sense to tackle now with enough time until
 WP 6.1 is released, in case any issues come up.

 **Why this is critical?** A lot of (dependency) packages seem to have
 security related issues (as per npm)

 1) npm 6 is deprecated since almost 2 years
 - package-lock.json lockfileVersion increased since npm 7 and incompatible
 with old npm
 => can be fixed by calling "npm update" (will not update any packages but
 only increase lockfileVersion on first run)

 - `"npm": ">=6.14.8"` should be increased (node too)
 => which version do we want? 7? (which would be the absolute minimum,
 could go to 8 directly)

 2) tons of old and very old packages that need to be updated, bc they were
 renamed or have security issues.
 These partly date back to before the WP 6.0 (partly even before WP 5.9)

 Does updating npm have a periodic tasks before creating new WP releases?
 It doesn't seem like it, but it should have, to avoid shipping outdated JS
 with security issues.

 I think it makes sense to create a branch now to update (resolve
 dependency issues,...)
 Then once again before the first beta of the next release and then merge
 this branch.

 Then periodically before every first beta of the upcoming release.

 2b) what about other external JS (not part of NPM), e.g. jquery-migrate.
 Is there a process when doing "releases" to ensure those get updated?

 3) update jQuery to 3.6.1 (latest, non-breaking bug-fix release)

 4) update jquery-migrate to 3.4.0 (latest)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56452>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list