gulp
Update packages #2633
Replies: 5 comments 2 replies
-
|
#2600 even got closed without any comment. Personally I don;'t understand how such a topic can harshly be canceled/prevented/stopped while other people spend time and thoughts in properly updating and creating a PR. |
Beta Was this translation helpful? Give feedback.
-
|
There hasn't been a new release of Gulp in 3 years, at this point I lost all hope that any dependencies will ever be updated. Gulp 5 is coming, supposedly, but it's been coming for years now. And seeing the current pace, it won't be until 2026 that it's out. I wish there were as many alternatives to Gulp as there are to Webpack, but alas, I'm left here looking at PRs closed without comment, and Dependabot screaming at me about |
Beta Was this translation helpful? Give feedback.
-
|
v5 work continues, See Project |
Beta Was this translation helpful? Give feedback.
This comment was marked as disruptive content.
This comment was marked as disruptive content.
-
|
Would be nice to see some maintenance done on existing packages, seeing no activity in repositories will scare off new adopters. |
Beta Was this translation helpful? Give feedback.
-
|
It seems that putting this in package.json is enough to fix security alerts (without any visible drawback for me): "overrides": {
"chokidar": "3.5.3",
"glob-stream": "7.0.0"
}I think it would be better for everyone if gulp maintainers could target smaller major versions. :) |
Beta Was this translation helpful? Give feedback.
-
|
I've personally decided to move all of my projects off of Gulp. I'm tired of seeing high vulnerability audit warnings on every deployment, and then having to explain to my clients that "no, no, it's okay, the maintainers sarcastically linked to a website that implies the vulnerabilities aren't actually a big deal, and then they close other questions about it without discussion". I maintain an open-source package as well so I know it can get tiresome dealing with people pestering you about things, but damn does it feel passive aggressive here. |
Beta Was this translation helpful? Give feedback.
-
As my PR was locked immediately...
Originally posted by @phated in #2630 (comment)
While I agree on npm audit beeing flawed, other tools like dependabot security alert report it too.
Additionally -unlesss bypassed by aliasing or specifically defining a version- this can prevent other dependencies of using a newer version.
So while gulp itself isn't used during production, it still prevents using a newer version of it's own or subsequent dependencies.
Beta Was this translation helpful? Give feedback.
All reactions