Skip to content

Scripts: Update lighthouse dependency #65488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jacobcassidy wants to merge 6 commits into from
Closed

Scripts: Update lighthouse dependency #65488

jacobcassidy wants to merge 6 commits into from

Conversation

@jacobcassidy
Copy link
Contributor

@jacobcassidy jacobcassidy commented Sep 19, 2024

What?

Updates the lighthouse dependency in the e2e-test-utils-playwright package.

Why?

This fixes the issue with high-severity vulnerabilities introduced with an older version of the puppeteer-core dependency, as mentioned in #64597. Lighthouse uses puppeteer-core and needs to be updated to use the latest version to remove the old dependencies with vulnerabilities.

How?

  • Updates the e2e-test-utils-playwright's package.json lighthouse dependency to the latest version.
  • Removes the lighthouse+10.4.0.patch file the old version depended on.

Testing Instructions

Same as #64597:

  1. Run npm i --save-dev @wordpress/scripts
  2. Run npm audit and you'll see a warning for high-severity vulnerabilities.
  3. Add the following to your package.json file:
"overrides": {
    "puppeteer-core": "^23.1.0"
}
  1. Run npm i to update the packages.
  2. The vulnerabilities are now removed.

Other Notes

  1. I'm not sure this package can be updated with a simple change in this PR. Someone with more familiarity can chime in. Issue Scripts: Deprecated or remove Puppeteer as e2e test handler #60357 mentions puppeteer and its removal, so if that's in progress and includes the e2e-test-utils-playwright package, we can disregard this PR.

  2. The core package.json and package-lock.json may need to be updated to include lighthouse as a dev dependency as was the case for Scripts: Update puppeteer-core dependency #64597.

@github-actions
Copy link

github-actions bot commented Sep 19, 2024

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: jacobcassidy <[email protected]>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@jacobcassidy jacobcassidy marked this pull request as draft September 23, 2024 08:12
@jacobcassidy
Copy link
Contributor Author

jacobcassidy commented Sep 23, 2024

Changed to draft until greater insight into if this can be done or if a complete e2e overhaul via #60357 is in the works.

@gziolo gziolo mentioned this pull request Dec 9, 2024
Merged
@gziolo gziolo added [Type] Security Related to security concerns or efforts [Status] Stale Gives the original author opportunity to update before closing. Can be reopened as needed. labels Dec 9, 2024
@gziolo
Copy link
Member

gziolo commented Dec 9, 2024

I'm working on #67708, which contains the same changes regarding the lighthouse package. I hope we can resolve these issues before the next npm publishing planned for Wednesday this week.

@jacobcassidy
Copy link
Contributor Author

jacobcassidy commented Dec 10, 2024

@gziolo Sounds great. I'm closing this PR since it's already being covered.

@jacobcassidy jacobcassidy deleted the e2e-script-update branch April 3, 2025 00:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevin940726 kevin940726 Awaiting requested review from kevin940726 kevin940726 is a code owner

@spacedmonkey spacedmonkey Awaiting requested review from spacedmonkey spacedmonkey will be requested when the pull request is marked ready for review spacedmonkey is a code owner

@desrosj desrosj Awaiting requested review from desrosj desrosj will be requested when the pull request is marked ready for review desrosj is a code owner

@oandregal oandregal Awaiting requested review from oandregal oandregal will be requested when the pull request is marked ready for review oandregal is a code owner

@gigitux gigitux Awaiting requested review from gigitux gigitux will be requested when the pull request is marked ready for review gigitux is a code owner

@ntsekouras ntsekouras Awaiting requested review from ntsekouras ntsekouras will be requested when the pull request is marked ready for review ntsekouras is a code owner

@ajitbohra ajitbohra Awaiting requested review from ajitbohra ajitbohra will be requested when the pull request is marked ready for review ajitbohra is a code owner

@ntwb ntwb Awaiting requested review from ntwb ntwb will be requested when the pull request is marked ready for review ntwb is a code owner

@nerrad nerrad Awaiting requested review from nerrad nerrad will be requested when the pull request is marked ready for review nerrad is a code owner

@luisherranz luisherranz Awaiting requested review from luisherranz luisherranz will be requested when the pull request is marked ready for review luisherranz is a code owner

@DAreRodz DAreRodz Awaiting requested review from DAreRodz DAreRodz will be requested when the pull request is marked ready for review DAreRodz is a code owner

@draganescu draganescu Awaiting requested review from draganescu draganescu will be requested when the pull request is marked ready for review draganescu is a code owner

@adamziel adamziel Awaiting requested review from adamziel adamziel will be requested when the pull request is marked ready for review adamziel is a code owner

@tellthemachines tellthemachines Awaiting requested review from tellthemachines tellthemachines will be requested when the pull request is marked ready for review tellthemachines is a code owner

@ellatrix ellatrix Awaiting requested review from ellatrix ellatrix will be requested when the pull request is marked ready for review ellatrix is a code owner

@ZebulanStanphill ZebulanStanphill Awaiting requested review from ZebulanStanphill ZebulanStanphill will be requested when the pull request is marked ready for review ZebulanStanphill is a code owner

@fabiankaegy fabiankaegy Awaiting requested review from fabiankaegy fabiankaegy will be requested when the pull request is marked ready for review fabiankaegy is a code owner

@juanmaguitar juanmaguitar Awaiting requested review from juanmaguitar juanmaguitar will be requested when the pull request is marked ready for review juanmaguitar is a code owner

Assignees

No one assigned

Labels

[Status] Stale Gives the original author opportunity to update before closing. Can be reopened as needed. [Type] Security Related to security concerns or efforts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacobcassidy @gziolo