#185 Fixing critical vulnerabilities on 2.0.0-beta.2, caused by gh-pages@3.1.0

[isahann]

Just upgraded to the latest version of gh-pages available at the moment.
After upgrading, removed the node_modules, package-lock.json, and then ran a fresh npm i.
Building with npm build runs just fine. And after fixing a single test, npm test (building first) passes all tests too.

Please feel free to request any changes.

[fmalcher]

Thank you so much, Isahann! @JohannesHoppe will review and merge this one.

[JohannesHoppe]

@isahann Thanks for starting this PR! 😃 🙏 Do you think you have the resources to figure out how we can address the breaking change?

[isahann]

@isahann Thanks for starting this PR! 😃 🙏 Do you think you have the resources to figure out how we can address the breaking change?

I've just downloaded the repo, haven't checked much of it besides the package.json and the breaking test.... But I'll try to take a better look into it...

[JohannesHoppe]

We have holidays in Germany. I will run all tests on Monday! 👍

[musicEnfanthen]

@JohannesHoppe Any updates from the Monday tests? Would be awesome to see this critical vulnerability fixed.

[davayd]

Excuse me, just commented to up the topic

[kayvanbree]

Any updates on this?

[mpellerin42]

I'm also looking forward this new version to be available, any update on this PR?

[namdhevTW]

Looking forward to merge this PR - folks. Current version is causing havoc with the critical vulnerabilities

[victor-enogwe]

👀

[isahann]

@JohannesHoppe any updates on this? I've recently updated to v2.0.3, but I see that it's still using gh-pages@3.1.0...

[tim-band]

Any chance of movement? Would you like any help?

[BGBRWR]

This PR addressing a critical vulnerability has been open for over a year. @JohannesHoppe, could you please confirm whether this repository is still being maintained? My team needs to decide whether to continue relying on this package or migrate away in order to resolve the issue.

[JohannesHoppe]

Hi @BGBRWR,

thank you very much for your patience, and sorry for the long delay in responding - I’ve been on a long holiday and just got back.

The main issue with PR #186 is that it bumps gh-pages from v3 to v6. That introduces some tricky changes, especially because gh-pages updated its dependency on commander. Unfortunately, that results in a different version of commander than the one we’re currently using. I tried to update this in the past, but commander itself introduced breaking changes in how values are parsed from the command line. From what I remember, it opens the door to all kinds of regressions.

Another challenge is that no tests are failing with this PR, which is actually a sign that we don’t have test coverage for this area. Until now we’ve just assumed infrastructure like commander wouldn’t change in breaking ways.

That leaves us with three possible paths forward:

1. Upgrade to gh-pages v6 and test everything thoroughly (high risk, since ~66k repos depend on angular-cli-ghpages).
2. Fork the current gh-pages version and only patch security-relevant dependencies, without updating commander.
3. Copy the best parts of gh-pages into our repo (not very polite, but would make us independent).

Each option is quite intensive. To make progress, I’ll start by increasing the test coverage this weekend, so we can document the current status quo. That way we’ll have a foundation for moving forward.

Thanks again for your patience and understanding!