Update package lock files in WordPress builds themes to fix current security issues #3057
+19,845
−36,510
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
|
I guess this PR is fine, but I don't think it solves any issues. That package json is never used for anything and will likely be overridden when those files change on another patch version release. That being said, I don't see anything wrong with this change so let's merge it. |
Collaborator
|
It would be pretty useful to somehow exclude those package log files from dependabot alerts. |
Collaborator
Author
|
On it. |
mho22
added a commit
that referenced
this pull request
Jan 6, 2026
## Motivation for the change, related issues Based on #3057 Instead of modifying the `package-lock.json` files inside the `wordpress-builds` directory like I did in the previous pull request, I fixed the incorrect path in `dependabot.yml`. ## Implementation details ```diff exclude-paths: - - packages/playground/wordpress-builds/build + - packages/playground/wordpress-builds/public - isomorphic-git ``` ## Testing Instructions (or ideally a Blueprint) If this pull request is merged, [this Security issue](https://github.com/WordPress/wordpress-playground/security/dependabot/132) will no longer be open.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for the change, related issues
This pull request aims to fix security issues but I am not sure if refreshing package-locks is a good idea.
I also had to update three dependencies for wp-6.3 since it would crash when running
npm install.Maybe we should simply close these vulnerabilities ?
Related to the Security issues :
https://github.com/WordPress/wordpress-playground/security/dependabot/117
https://github.com/WordPress/wordpress-playground/security/dependabot/116
https://github.com/WordPress/wordpress-playground/security/dependabot/115
https://github.com/WordPress/wordpress-playground/security/dependabot/114
Implementation details
Refreshed some package-locks and updated a package.json