[Dependencies] [Security] Upgrade to Gulp4

[acconrad]

This fixes multiple bugs (#6549 #5762 #6214 ) and implements #3793 by upgrading from Gulp 3.9.1 to 4.0.0 which was released a few months ago.

The primary goal of this is to incorporate a series of vulnerability fixes (minimatch, hoek, and lodash) that were introduced within the dependencies of gulp, and as a result were patched starting in Gulp v4.

The basic upgrade flow works like this:

1. Upgrade Gulp from 3.9.1 to 4.0.0
2. Upgrade gulp-help to the version that specifically supports Gulp4 (1.6.1 to chmontgomery/gulp-help#gulp4)
3. Upgrade additional dependencies that fix additional audit issues (gulp-concat-css, gulp-copy, gulp-less, gulp-watch, and github)
4. Remove run-sequence which is now deprecated and natively replaced with gulp.series
5. Fix calc() errors that arose out of interpolated strings with the latest version of gulp-less

With those tasks complete, npm install works and completes as intended with no errors and 0 security vulnerabilities.

[y0hami]

This is great this will help a bunch!

[acconrad]

May be worth waiting until this is merged to fully resolve all audit issues on dependencies

[jlukic]

I wasnt able to get the tasks to run with this PR. Is this a work in progress?

[acconrad]

Alright gulp-copy 4 is merged I'll take another look now to make sure the tasks run

[acconrad]

@jlukic Okay this is now complete. You can run npm install and gulp and all tasks will successfully complete with no errors and no security vulnerabilities.

[y0hami]

@acconrad Great, I will take a look at this when I have some time!

[y0hami]

@acconrad I just did some testing and it all looks good. The only problem I can find is when running gulp build-docs it will crash with TypeError [ERR_INVALID_CALLBACK]: Callback must be a function. It seems line 83 in tasks/docs/build.js is the problem because in newer versions of node the fs.writeFile function throws an error when there is no callback. If I remember correctly this was introduced in node v9.

[acconrad]

Cool @hammy2899 fixed!

[y0hami]

LGTM

[acconrad]

@hammy2899 added a commit that should get your PR to work now :)

[jlukic]

All of the calc variables need to pull from their respective variables (instead of being hard-coded) otherwise they wont adjust properly with user themes.

You'd want to be able to, for example change @ribbonMargin in label and have all other variables update properly.

[jlukic]

Maybe related to
less/less.js#3191
less/less.js#3223

[acconrad]

Good find @jlukic I had trouble finding that resolution, all fixed now!

[jlukic]

I've merged #6512 which updates calcs for compatibility with less 3.5.

Can you take a look at that and see if it can fit into your PR? A simple way to confirm is to inspect an attached menu and verify its calc(100% + (-1px * 2))

[acconrad]

This was in both dependencies and dev dependencies and the latest version right now is 1.0.1 anyway so you shouldn't have this in both sections, that will trigger an NPM warning

[acconrad]

@jlukic okay merged in. i verified everything looked right and the build still passes when building from npm and gulp.

[acconrad]

sorry about all of the bumps, this was during Github's outage this weekend and it kept telling me that no comments were going through (I even tried deleting all of them and they keep coming back), @jlukic @hammy2899 ready to merge when you are

[jlukic]

I was on vacation with family in Ireland, will probably have a chance to look this weekend or next.

[acconrad]

This ready to merge?

[pgobin-zz]

This ready to merge?

@acconrad @jlukic ./tasks/config/npm/gulpfile.js needs to be updated to match the new gulpfile.js.

[acconrad]

all set @pgobin

[pgobin-zz]

@acconrad Have you noticed file.path no longer exists in watch.js?

From watch.js:

gulp
    .watch([
      source.config,
      source.definitions   + '/**/*.less',
      source.site          + '/**/*.{overrides,variables}',
      source.themes        + '/**/*.{overrides,variables}'
    ], function(file) {

    ...

    gulp.src(file.path)
              ^
    ...

For me, gulp watch outputs an undefined exception after editing .less or an override.

If it indeed does, a solution might look something like the following:

  const cssWatcher = gulp.watch([
    source.config,
    source.definitions   + '/**/*.less',
    source.site          + '/**/*.{overrides,variables}',
    source.themes        + '/**/*.{overrides,variables}'
  ]);

  cssWatcher.on('change', (path) => {

    ...

    gulp.src(path)

    ...

For the CSS watch and the remaining watches also.

[acconrad]

@pgobin it wasn't there before I started this PR and this PR doesn't touch file.path so I would recommend you fix this in a separate PR

[acconrad]

Are we ready to merge this? Still would love to get this one in for my team!

[badgerwithagun]

@jlukic? @levithomason? Can this be merged? Just this and a patch release would get the library building without security warnings...

[acconrad]

Pinging @jlukic and @hammy2899 ... this has been ready for 2 months and could have positive security impacts for lots of folks :)

[y0hami]

@acconrad You will have to wait for @jlukic to merge this.

If you haven't noticed all PR's are currently stale...

[badgerwithagun]

I'm just reviewing these changes to merge into my own fork and saw this. Given that this PR is intended to solve security warnings, I don't think we can trust adding a dependency on a floating github branch. It could be modified at any time, making builds unrepeatable and adding an attack vector.

Is there no published version that can be used?

[y0hami]

There is never going to be a gulp4 release of gulp-help chmontgomery/gulp-help#31 (comment)

[badgerwithagun]

How about referencing the commit hash of the HEAD of that branch?

This should work (never tried it though):

github:chmontgomery/gulp-help#194e80e0545ff6af5d10eeba7e224d0da71eb8d3

Not sure the github dependency is needed either. This is standard:

[email protected]:github:chmontgomery/gulp-help.git#194e80e0545ff6af5d10eeba7e224d0da71eb8d3

E2A: yup

[ColinFrick]

@badgerwithagun You could also check out the Fomantic-UI fork at https://github.com/fomantic/Fomantic-UI . We already have updated to gulp 4 and gulp-help will be removed with the next release

[badgerwithagun]

See above. Not certain that this is needed.

[maxhq]

Is there anything that stops this PR from being merged? Any help needed?

[y0hami]

@maxhq Give https://github.com/fomantic/Fomantic-UI a try it has gulp4 support and is activity maintained

[acconrad]

ping

[y0hami]

@acconrad This will most likely never be merged, its over 1 year now since last release of SUI (https://github.com/Semantic-Org/Semantic-UI/releases)

I would recommend anyone looking at this to take a look at Fomantic-UI the official community fork which has gulp4 support.

[vsubbotskyy]

Upgraded yesterday to Fomantic, supersmooth, no issues