Problem/Motivation
yarn audit shows the following numbers of vulnerabilities on each branch:
- 10.0.x, 9.4.x, and 9.3.x: 18 Moderate | 3 High
- 9.2.x: 24 Moderate | 4 High
Steps to reproduce
- cd core
- yarn install
- yarn audit
Proposed resolution
Not all of the dependency updates can be addressed without increasing our constraints. However, running a yarn upgrade without modifying the constraints gets rid of some of the vulnerabilities, reducing it to:
- 10.0.x, 9.4.x, 9.3.x: 16 Moderate | 1 High
- 9.2.x: 12 Moderate
Let's fix those first (after reviewing that the upgraded versions are safe and testing). Then, let's handle whatever increases we need to make to constraints in followup issues.
Remaining tasks
Address remaining vulnerabilities that require changes to constraints in followup issues.
Followup issue for the acorn/terser dependency workaround: #3264520: Remove acorn from package.json
User interface changes
TBD
API changes
TBD
Data model changes
TBD
Release notes snippet
Drupal core's JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address a few security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their node_modules directory and re-run yarn install from within the core/ directory.
Additionally, Acorn has temporarily been added as a direct development dependency of core to work around an upstream bug in Terser. Acorn will be removed as a direct dependency again once Terser creates a new release with a fix for the bug.