@wordpress/scripts and vulnerability warnings

  • I am using @wordpress/scripts for building client sites. I use it locally on mamp to develop themes. More often than not, when I install it or update/audit it as per the instructions at https://developer.www.ads-software.com/block-editor/reference-guides/packages/packages-scripts/ I get a warning in Terminal about vulnerabilities.

    Today, I took a first post-Christmas look at a site I have been working on, and immediately got warned about 5 high severity vulnerabilities. Running ‘npm audit fix’ changed this to “11 vulnerabilities (3 moderate, 8 high)”, and also seemed to change the version from @wordpress/[email protected] to @wordpress/[email protected]!

    Running Audit fix again seemed to reinstate the latest version of @wordpress/[email protected], along with the same 5 vulnerabilities I started with, so back to square one.

    So it seems that there is no way to fix these vulnerabilities, but Terminal is telling me they are high severity. What are you supposed to do in situations like this? I have to use @wordpress/scripts because it seems you can’t construct Gutenberg blocks without it, but I feel out of my depth with these vulnerability issues. I don’t know how to fix them, which means it feels like I am providing client work that is full of vulnerabilities.

    At the same time, I don’t see how vulnerabilities that presumably only exist in my local version of the theme folder could cause vulnerabilities on the public, live version of a site. And if someone was able to break into my local theme folders, I think they’d have better things to do than mess with my themes.

    Should I just ignore these warnings? I have searched online but have not found any useful info about this issue, that I feel I can trust.

Viewing 1 replies (of 1 total)

  • Hi @julian_wave
    It is essential to take warnings about vulnerabilities seriously, mainly when they are classified as high severity. Ignoring them could leave your client’s site open to attack, resulting in the site being compromised or experiencing other issues. To avoid this, it is best to try to fix the vulnerabilities. One way to do this is to run the npm audit fix command, which should automatically install updated packages that address known vulnerabilities. However, if this does not fully resolve the issues, there may be a conflict between the version of @wordpress/scripts you are trying to use and the other packages installed in your project. In this case, it may be beneficial to manually update the @wordpress/scripts package to the latest version and rerun the npm audit fix.

    It is also essential to regularly check for and address vulnerabilities in your project to ensure that it is as secure as possible. You can run an npm audit regularly and address any identified issues. It is worth noting that vulnerabilities in your local version of the theme folder will not directly affect the public, live version of the site. However, if you push code with known vulnerabilities to a live site, it could be exploited by attackers. Therefore, ensuring that your local development environment is as secure as possible is essential, and only push code to a live site after you have addressed any known vulnerabilities.

Viewing 1 replies (of 1 total)
  • The topic ‘@wordpress/scripts and vulnerability warnings’ is closed to new replies.