Get rid of vulnerable dependencies#3073
Merged
aleks-pro merged 12 commits intoDevExpress:masterfrom Mar 24, 2026
Merged
Conversation
This reverts commit b69c011.
aleks-pro
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes/avoids vulnerable or deprecated build/test dependencies by migrating Gulp tasks away from deprecated plugins, upgrading the ESLint toolchain/config, and pinning a transitive dependency via overrides.
Changes:
- Replace deprecated Gulp plugins (
gulp-eslint,gulp-mocha-simple,gulp-run-command) withgulp-eslint-new, directmochainvocation, and a new shell-command runner. - Migrate ESLint configuration from multiple
.eslintrcfiles to a single flateslint.config.jsand adjust code/tests accordingly (remove many now-obsolete disable directives). - Pin
serialize-javascriptviaoverridesto address a known transitive vulnerability in Mocha’s dependency tree.
Reviewed changes
Copilot reviewed 62 out of 63 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| test/server/proxy/regression-test.js | Fixes a syntax issue in an assertion. |
| test/server/common/utils.js | Removes ESLint-disable pragmas; request helper remains unchanged logically. |
| test/server/auth-test.js | Removes an obsolete ESLint inline disable. |
| test/server/.eslintrc | Removes legacy per-folder ESLint config (now covered by flat config). |
| test/client/fixtures/utils/url-test.js | Removes an obsolete ESLint disable comment. |
| test/client/fixtures/utils/dom-test.js | Removes inline ESLint disables in test fixture code. |
| test/client/fixtures/sandbox/xhr-test.js | Removes an obsolete ESLint disable comment. |
| test/client/fixtures/sandbox/upload-test.js | Removes an inline ESLint disable comment. |
| test/client/fixtures/sandbox/shadow-ui-test.js | Removes an inline ESLint disable comment. |
| test/client/fixtures/sandbox/node/text-properties-test.js | Removes inline ESLint disables for self-assign statements. |
| test/client/fixtures/sandbox/node/html-collection-wrapper-test.js | Removes a file-level ESLint disable. |
| test/client/fixtures/sandbox/node/classes-test.js | Removes inline ESLint disables around new Function. |
| test/client/fixtures/sandbox/node/attributes-test.js | Removes an obsolete ESLint disable comment. |
| test/client/fixtures/sandbox/iframe-test.js | Removes inline ESLint disables for getter-return. |
| test/client/fixtures/sandbox/cookie-test.js | Removes inline ESLint disables from test fixture code. |
| test/client/fixtures/sandbox/console-test.js | Removes inline ESLint disables around console usage. |
| test/client/fixtures/sandbox/code-instrumentation/location-test.js | Removes an obsolete ESLint disable comment. |
| test/client/fixtures/sandbox/code-instrumentation/common-test.js | Removes an obsolete ESLint disable comment. |
| test/client/.eslintrc | Removes legacy per-folder ESLint config (now covered by flat config). |
| test/.eslintrc | Removes legacy test ESLint config (now covered by flat config). |
| src/utils/url.ts | Removes obsolete lint pragmas/comments. |
| src/utils/parse5.ts | Removes inline ESLint disables; keeps same behavior. |
| src/utils/json.ts | Removes inline ESLint disable; keeps same behavior. |
| src/utils/get-bom.ts | Removes inline ESLint disable; keeps same behavior. |
| src/upload/form-data.ts | Removes inline ESLint disables and aligns trailing commas. |
| src/request-pipeline/request-hooks/events/names.ts | Removes inline ESLint disable comment. |
| src/request-pipeline/header-transforms/index.ts | Removes inline ESLint disable comments. |
| src/request-pipeline/destination-request/agent.ts | Removes file-level ESLint disables around enum. |
| src/proxy/index.ts | Removes inline ESLint disables for optional chaining calls. |
| src/processing/script/transformers/replace-node.ts | Removes braces/disable comment; keeps same logic. |
| src/processing/script/transformers/method-call.ts | Removes inline ESLint disable comment. |
| src/processing/script/transform.ts | Removes ESLint disable pragmas; keeps same logic. |
| src/processing/script/.eslintrc | Removes legacy per-folder ESLint config (now covered by flat config). |
| src/processing/encoding/index.ts | Removes inline ESLint disable comment. |
| src/processing/encoding/charset.ts | Removes inline ESLint disable comment. |
| src/processing/dom/.eslintrc | Removes legacy per-folder ESLint config (now covered by flat config). |
| src/client/utils/style.ts | Adds trailing commas for lint/style compliance. |
| src/client/utils/overriding.ts | Adds a targeted ESLint disable for restricted property destructuring. |
| src/client/utils/insert-position.ts | Removes inline ESLint disable comment. |
| src/client/utils/cookie.ts | Adjusts ESLint disable placement for restricted property destructuring. |
| src/client/sandbox/upload/index.ts | Removes file-level max-nested-callbacks disables. |
| src/client/sandbox/storages/index.ts | Adds a targeted ESLint disable for restricted property destructuring. |
| src/client/sandbox/shadow-ui.ts | Removes inline ESLint disable for regex. |
| src/client/sandbox/node/window.ts | Adds trailing comma; removes obsolete inline disable. |
| src/client/sandbox/node/element.ts | Removes several inline ESLint disables for extra parens/no-shadow. |
| src/client/sandbox/native-methods.ts | Fixes minor formatting and removes obsolete disable comments. |
| src/client/sandbox/event/unload.ts | Removes an inline ESLint disable comment. |
| src/client/sandbox/event/message.ts | Removes inline ESLint disables for no-shadow/no-empty. |
| src/client/sandbox/event/hover.ts | Removes an inline ESLint disable comment. |
| src/client/sandbox/event/active-window-tracker.ts | Removes an inline ESLint disable comment. |
| src/client/sandbox/cookie/index.ts | Removes redundant inline ESLint disables in a file already globally eslint-disabled. |
| src/client/sandbox/child-window/default-target.ts | Removes an inline ESLint disable comment. |
| src/client/sandbox/base.ts | Removes an inline ESLint disable comment. |
| src/client/page-navigation-watch.ts | Removes an inline ESLint disable comment. |
| src/client/.eslintrc | Removes legacy per-folder ESLint config (now covered by flat config). |
| src/.eslintrc | Removes legacy ESLint config (now covered by flat config). |
| package.json | Upgrades ESLint/tooling deps, adds Mocha, and pins serialize-javascript via overrides. |
| gulp/utils/run-shell-commands.js | Adds a new helper to run shell commands sequentially. |
| eslint.config.js | Adds the new ESLint flat configuration replacing all legacy .eslintrc files. |
| Gulpfile.js | Switches to gulp-eslint-new, runs Mocha via shell command, replaces gulp-run-command usage. |
| .eslintrc | Removes legacy root ESLint config (replaced by eslint.config.js). |
| .eslintignore | Removes legacy ignore file (replaced by flat-config ignores). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+9
to
+12
| child.on('error', reject); | ||
| child.on('close', (code) => { | ||
| resolve(code ?? 1); | ||
| }); |
There was a problem hiding this comment.
child.on('error', ...) and child.on('close', ...) can both potentially fire in edge cases; using once handlers (and cleaning up the other listener) avoids double resolve/reject attempts and makes the Promise behavior deterministic. It may also be useful to include the termination signal in the error message when code is null.
Suggested change
| child.on('error', reject); | |
| child.on('close', (code) => { | |
| resolve(code ?? 1); | |
| }); | |
| const onError = (error) => { | |
| child.removeListener('close', onClose); | |
| reject(error); | |
| }; | |
| const onClose = (code) => { | |
| child.removeListener('error', onError); | |
| resolve(code ?? 1); | |
| }; | |
| child.once('error', onError); | |
| child.once('close', onClose); |
Gulpfile.js
Outdated
| const timeout = typeof v8debug !== 'undefined' || !!process.debugPort ? 0 : 2000; | ||
|
|
||
| await runCommands([ | ||
| `npx mocha --full-trace --timeout ${timeout} "./test/server/**/*-test.js"`, |
There was a problem hiding this comment.
Using npx mocha ... can introduce variability (e.g., it may try to download packages if the local binary cannot be resolved in some environments). To make CI more deterministic, consider invoking the local Mocha binary explicitly (e.g., node ./node_modules/mocha/bin/mocha.js ... or npx --no-install mocha ...).
Suggested change
| `npx mocha --full-trace --timeout ${timeout} "./test/server/**/*-test.js"`, | |
| `npx --no-install mocha --full-trace --timeout ${timeout} "./test/server/**/*-test.js"`, |
Comment on lines
+57
to
+82
| "@typescript-eslint/eslint-plugin": "^8.57.0", | ||
| "@typescript-eslint/parser": "^8.57.0", | ||
| "address": "^2.0.3", | ||
| "babel-eslint": "^10.1.0", | ||
| "babel-plugin-add-module-exports": "^1.0.0", | ||
| "basic-auth": "1.0.4", | ||
| "body-parser": "^1.20.4", | ||
| "chai": "^2.3.0", | ||
| "del": "^3.0.0", | ||
| "del-cli": "^3.0.1", | ||
| "eslint": "^7.13.0", | ||
| "eslint": "^10.0.3", | ||
| "eslint-plugin-hammerhead": "^0.4.0", | ||
| "eslint-plugin-no-only-tests": "^2.0.1", | ||
| "express": "4.22.1", | ||
| "express-ntlm": "2.1.5", | ||
| "globals": "^17.4.0", | ||
| "gulp": "^5.0.0", | ||
| "gulp-clone": "^2.0.1", | ||
| "gulp-eslint": "^6.0.0", | ||
| "gulp-eslint-new": "^2.6.1", | ||
| "gulp-ll-next": "^2.1.0", | ||
| "gulp-mocha-simple": "^2.0.0", | ||
| "gulp-mustache": "^3.0.1", | ||
| "gulp-rename": "^1.2.2", | ||
| "gulp-run-command": "0.0.9", | ||
| "gulp-step": "^1.0.1", | ||
| "gulp-typescript": "^5.0.0", | ||
| "gulp-uglify": "^3.0.2", | ||
| "js-beautify": "^1.13.5", | ||
| "mocha": "^11.3.0", |
There was a problem hiding this comment.
eslint v10 requires Node.js >=20 (per its package engines), and this PR also upgrades @typescript-eslint/* and mocha to versions that typically drop Node 14/16 support. With the repo still declaring engines.node: >=14 (and CI workflows using Node 16/18), installs/lint/tests are likely to fail on the supported/CI Node versions. Please either (a) pin ESLint/TS-ESLint/Mocha to versions compatible with the minimum supported Node, or (b) bump the repo's minimum Node version and update CI accordingly.
eslint.config.js
Outdated
| 'no-sequences': 2, | ||
| 'no-shadow': 2, | ||
| 'no-shadow-restricted-names': 2, | ||
| 'no-spaced-func': 2, |
There was a problem hiding this comment.
no-spaced-func is deprecated and removed in modern ESLint versions; keeping it here will cause ESLint to fail loading the config with “Definition for rule 'no-spaced-func' was not found”. Replace it with func-call-spacing (or remove it if it's not needed).
Suggested change
| 'no-spaced-func': 2, | |
| 'func-call-spacing': 2, |
Comment on lines
210
to
215
| try { | ||
| res.body = await parseResponse(response); | ||
| } | ||
| finally { | ||
| /*eslint-disable no-unsafe-finally*/ | ||
| return res; | ||
| /*eslint-enable no-unsafe-finally*/ | ||
| } |
There was a problem hiding this comment.
This return inside finally will swallow any error thrown while parsing the response body (e.g., invalid JSON), which can hide real failures in tests and makes debugging harder. Consider returning after the try/catch instead (or explicitly capturing parse errors in the result) rather than returning from finally.
Aleksey28
approved these changes
Mar 24, 2026
Contributor
|
Test Client (Cloud) tasks gives a warning about deprecated Node 20 version. Shouldn't we update it? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Removed
gulp-run-commandpackage as it has vulnerable dependencies and appears to be deprecated.Replaced
gulp-eslintwithgulp-eslint-new.gulp-eslinthas vulnerable dependencies and seems to be deprecated.This change required updating the
eslintversion and its configuration.Some rules behave differently in the newer version, which made several disable directives obsolete.
Removed
gulp-mocha-simple.Instead, a shell command is used to invoke the
mochapackage directly.Pinned
serialize-javascriptversion viaoverrides.mochadepends on a vulnerable version ofserialize-javascript; however, the team states that this vulnerability does not affectmocha:Security Dashboard mochajs/mocha#5781
The dependency has already been updated in the repository:
https://github.com/mochajs/mocha/blob/main/package.json#L108
but the updated version has not been published yet. So we can remove the ovveride after new
mochaversion will be published.I suggest addressing this in a separate task.