1

I've been using Gulp for a while now and recently I noticed that there are security warnings when I install or update packages. I run the audit and get a lot of information but I'm not sure if this is in particular to use in a production server or if it also applies to a local server.

I've also tried using gulp 4 and it seems fine but I was just curious on the 3.9.1 version since there are still some differences.

I guess the short question is gulp 3.9.1 safe to use on a local environment or does it create a security issue?

David
  • 41
  • 2
  • can you review the answer @David? leave a comment if you need clarification, otherwise you can accept it using the “tick” below the answer score – mihai Nov 23 '18 at 19:03

1 Answers1

0

I would say it's safe. Here are my thoughts on the reported vulnerabilities:

  • There are 4 High vulnerabilities of type Regular Expression Denial of Service for the minimatch module. These are mostly related to user input, Gulp is just a build tool, I don't see how it could be affected by this

  • Low vulnerability of type Prototype Pollution for the lodash module. I can't say for sure, but you might be affected by this if you load some unknown external modules in your build, otherwise you would be fine.

In any case, updating to Gulp 4 should remove all doubts.

mihai
  • 37,072
  • 9
  • 60
  • 86