Hi Folks, If you’ve been following JIRA, you’ll note that in doing some testing in UserALE.js, I’ve found that we have a number of critical vulnerabilities in our UserALE.js build pipeline. This affects 1.0.0 and (forthcoming) 1.1.0. In summary, Gulp 3.9.1 has some sub, sub dependencies that have vulnerabilities for ReDOS attacks. In preparing for a huge push to build up our community following our name change, things like this can affect adoption and drawing new committers.
I’ve opened two issues (and a branch) to port us to Gulp 4. https://issues.apache.org/jira/projects/SENSSOFT/issues/SENSSOFT-323?filter=allopenissues <https://issues.apache.org/jira/projects/SENSSOFT/issues/SENSSOFT-323?filter=allopenissues> https://issues.apache.org/jira/projects/SENSSOFT/issues/SENSSOFT-322?filter=allopenissues <https://issues.apache.org/jira/projects/SENSSOFT/issues/SENSSOFT-322?filter=allopenissues> Gulp 4 is a major update from Gulp 3.9.1 and comes with a lot of new dependencies and abandonment of things like gulp-util which we used in our build and testing pipeline. Lots of other breaking changes caused by changes in automation methodology and syntax. I took a stab with a WIP, but I’m a .js and gulp novice. I could really use the support if you can spare the time. The sooner we can migrate to gulp 4, the sooner we can have a vulnerability-free package, and we can start updating our other dependencies that have deprecated (gulp is something of a bottle-neck). Josh
