Conversation
allow usage of grunt plugins that are located in any location that is visible to Node.js and NPM, instead of `node_modules` directly inside package that have a dev dependency to these plugins.
|
|
In `loadNpmTasks()`` try to resolve package location. In case package not found, try to resolve it's location using `require.resolve()`
add integration test for monorepo case, where grunt plugin hoisted to the `node_modules` above package having dev dependency to it
|
@vladikoff any way this can get reviewed or merged? |
|
ping @shama 👋 |
|
@micellius so one use case this may break is if your // all tasks are located under the '/dist/tasks' folder.
grunt.loadNpmTasks('grunt-foo/dist');Because Perhaps this use case is unique to me, but I don't think its that farfetched that users might have a Interested to hear your thoughts... |
|
I think we've intended to support a |
|
@shama this would be great. Please keep us posted. In our monorepo, we basically have to copy all the grunt* packages into each packages |
In case `loadNpmTasks()` is called with relative path instead of just module name, try to resolve module name and find relevant package.json, but use tasks from specified relative path.
@redonkulus , I pushed the change that takes your use case into account by trying to normalize the argument of task.loadNpmTasks = function(name) {
loadTasksMessage('"' + name + '" local Npm module');
var root = path.resolve('node_modules');
var pkgpath = path.join(root, name);
var pkgfile = path.join(pkgpath, 'package.json');
// If package does not exist where grunt expects it to be,
// try to find it using Node's package path resolution mechanism
if (!grunt.file.exists(pkgpath)) {
var nameParts = name.split('/');
// In case name points to directory inside module,
// get real name of the module with respect to scope (if any)
var normailzedName = (name[0] === '@' ? nameParts.slice(0,2).join('/') : nameParts[0]);
try {
pkgfile = require.resolve(normailzedName + '/package.json');
root = pkgfile.substr(0, pkgfile.length - normailzedName.length - '/package.json'.length);
} catch (err) {
grunt.log.error('Local Npm module "' + normailzedName + '" not found. Is it installed?');
return;
}
}
...
// Process task plugins.
var tasksdir = path.join(root, name, 'tasks');
if (grunt.file.exists(tasksdir)) {
loadTasks(tasksdir);
} else {
grunt.log.error('Local Npm module "' + name + '" not found. Is it installed?');
}
}Now you should be able to use |
redonkulus
left a comment
redonkulus
left a comment
There was a problem hiding this comment.
Thanks for making the change. Just one comment on path separators.
| // If package does not exist where grunt expects it to be, | ||
| // try to find it using Node's package path resolution mechanism | ||
| if (!grunt.file.exists(pkgpath)) { | ||
| var nameParts = name.split('/'); |
There was a problem hiding this comment.
Do you want to use path.sep to support windows?
Looks like there are three more uses of / below too.
There was a problem hiding this comment.
@redonculus , I tested my PR on windows and it works fine. There is a need to use path.sep only if someone is using syntax like require(".\\my\\foo\\index.js"). While this may work on windows, it fails on other platform. In opposite, using require("./my/foo/index.js") works on all platforms (including windows). So, practically, I don't see any reason someone would use windows specific paths, if there is a way to write cross-platform code with less typing.
There was a problem hiding this comment.
Ok that’s fine then. If it works on windows then I’m good.
|
What's the status on this PR? Any reason it hasn't been merged asides from the path.sep comment mentioned above? |
|
@Lucaszw I have been busy traveling that last few weeks so I haven’t had time to test this yet but will try out the latest changes in this PR this week. @micellius please see my comment above about using |
|
@redonkulus Awesome! |
|
@micellius @Lucaszw I've tested this locally and it works well. Its up to @shama in how he wants to proceed with this PR. |
|
@vladikoff thanks for merging this in. When do you think this will be released to npm? |
|
@redonkulus I am thinking to tag this with v1.2.0 this week. How's that? |
|
@vladikoff that would be perfect, thanks! |
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [grunt](https://gruntjs.com/) ([source](https://redirect.github.com/gruntjs/grunt)) | [`~1.1.0` -> `~1.5.3`](https://renovatebot.com/diffs/npm/grunt/1.1.0/1.5.3) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2020-7729](https://nvd.nist.gov/vuln/detail/CVE-2020-7729) The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML. #### [CVE-2022-0436](https://nvd.nist.gov/vuln/detail/CVE-2022-0436) Grunt prior to version 1.5.2 is vulnerable to path traversal. #### [CVE-2022-1537](https://nvd.nist.gov/vuln/detail/CVE-2022-1537) file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root. --- ### Release Notes <details> <summary>gruntjs/grunt (grunt)</summary> ### [`v1.5.3`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.3) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.2...v1.5.3) - Merge pull request [#​1745](https://redirect.github.com/gruntjs/grunt/issues/1745) from gruntjs/fix-copy-op [`572d79b`](https://redirect.github.com/gruntjs/grunt/commit/572d79b) - Patch up race condition in symlink copying. [`58016ff`](https://redirect.github.com/gruntjs/grunt/commit/58016ff) - Merge pull request [#​1746](https://redirect.github.com/gruntjs/grunt/issues/1746) from JamieSlome/patch-1 [`0749e1d`](https://redirect.github.com/gruntjs/grunt/commit/0749e1d) - Create SECURITY.md [`69b7c50`](https://redirect.github.com/gruntjs/grunt/commit/69b7c50) ### [`v1.5.2`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.2) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.1...v1.5.2) - Update Changelog [`7f15fd5`](https://redirect.github.com/gruntjs/grunt/commit/7f15fd5) - Merge pull request [#​1743](https://redirect.github.com/gruntjs/grunt/issues/1743) from gruntjs/cleanup-link [`b0ec6e1`](https://redirect.github.com/gruntjs/grunt/commit/b0ec6e1) - Clean up link handling [`433f91b`](https://redirect.github.com/gruntjs/grunt/commit/433f91b) ### [`v1.5.1`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.1) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.0...v1.5.1) - Merge pull request [#​1742](https://redirect.github.com/gruntjs/grunt/issues/1742) from gruntjs/update-symlink-test [`ad22608`](https://redirect.github.com/gruntjs/grunt/commit/ad22608) - Fix symlink test [`0652305`](https://redirect.github.com/gruntjs/grunt/commit/0652305) ### [`v1.5.0`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.0) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.4.1...v1.5.0) - Updated changelog [`b2b2c2b`](https://redirect.github.com/gruntjs/grunt/commit/b2b2c2b) - Merge pull request [#​1740](https://redirect.github.com/gruntjs/grunt/issues/1740) from gruntjs/update-deps-22-10 [`3eda6ae`](https://redirect.github.com/gruntjs/grunt/commit/3eda6ae) - Update testing matrix [`47d32de`](https://redirect.github.com/gruntjs/grunt/commit/47d32de) - More updates [`2e9161c`](https://redirect.github.com/gruntjs/grunt/commit/2e9161c) - Remove console log [`04b960e`](https://redirect.github.com/gruntjs/grunt/commit/04b960e) - Update dependencies, tests... [`aad3d45`](https://redirect.github.com/gruntjs/grunt/commit/aad3d45) - Merge pull request [#​1736](https://redirect.github.com/gruntjs/grunt/issues/1736) from justlep/main [`fdc7056`](https://redirect.github.com/gruntjs/grunt/commit/fdc7056) - support .cjs extension [`e35fe54`](https://redirect.github.com/gruntjs/grunt/commit/e35fe54) ### [`v1.4.1`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.4.1) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.4.0...v1.4.1) - Update Changelog [`e7625e5`](https://redirect.github.com/gruntjs/grunt/commit/e7625e5) - Merge pull request [#​1731](https://redirect.github.com/gruntjs/grunt/issues/1731) from gruntjs/update-options [`5d67e34`](https://redirect.github.com/gruntjs/grunt/commit/5d67e34) - Fix ci install [`d13bf88`](https://redirect.github.com/gruntjs/grunt/commit/d13bf88) - Switch to Actions [`08896ae`](https://redirect.github.com/gruntjs/grunt/commit/08896ae) - Update grunt-known-options [`eee0673`](https://redirect.github.com/gruntjs/grunt/commit/eee0673) - Add note about a breaking change [`1b6e288`](https://redirect.github.com/gruntjs/grunt/commit/1b6e288) ### [`v1.4.0`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.4.0) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.3.0...v1.4.0) - Merge pull request [#​1728](https://redirect.github.com/gruntjs/grunt/issues/1728) from gruntjs/update-deps-changelog [`63b2e89`](https://redirect.github.com/gruntjs/grunt/commit/63b2e89) - Update changelog and util dep [`106ed17`](https://redirect.github.com/gruntjs/grunt/commit/106ed17) - Merge pull request [#​1727](https://redirect.github.com/gruntjs/grunt/issues/1727) from gruntjs/update-deps-apr [`49de70b`](https://redirect.github.com/gruntjs/grunt/commit/49de70b) - Update CLI and nodeunit [`47cf8b6`](https://redirect.github.com/gruntjs/grunt/commit/47cf8b6) - Merge pull request [#​1722](https://redirect.github.com/gruntjs/grunt/issues/1722) from gruntjs/update-through [`e86db1c`](https://redirect.github.com/gruntjs/grunt/commit/e86db1c) - Update deps [`4952368`](https://redirect.github.com/gruntjs/grunt/commit/4952368) ### [`v1.3.0`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.3.0) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.2.1...v1.3.0) - Merge pull request [#​1720](https://redirect.github.com/gruntjs/grunt/issues/1720) from gruntjs/update-changelog-deps [`faab6be`](https://redirect.github.com/gruntjs/grunt/commit/faab6be) - Update Changelog and legacy-util dependency [`520fedb`](https://redirect.github.com/gruntjs/grunt/commit/520fedb) - Merge pull request [#​1719](https://redirect.github.com/gruntjs/grunt/issues/1719) from gruntjs/yaml-refactor [`7e669ac`](https://redirect.github.com/gruntjs/grunt/commit/7e669ac) - Switch to use `safeLoad` for loading YML files via `file.readYAML`. [`e350cea`](https://redirect.github.com/gruntjs/grunt/commit/e350cea) - Merge pull request [#​1718](https://redirect.github.com/gruntjs/grunt/issues/1718) from gruntjs/legacy-log-bumo [`7125f49`](https://redirect.github.com/gruntjs/grunt/commit/7125f49) - Bump legacy-log [`00d5907`](https://redirect.github.com/gruntjs/grunt/commit/00d5907) ### [`v1.2.1`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.2.1) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.2.0...v1.2.1) - Changelog update [`ae11839`](https://redirect.github.com/gruntjs/grunt/commit/ae11839) - Merge pull request [#​1715](https://redirect.github.com/gruntjs/grunt/issues/1715) from sibiraj-s/remove-path-is-absolute [`9d23cb6`](https://redirect.github.com/gruntjs/grunt/commit/9d23cb6) - Remove path-is-absolute dependency [`e789b1f`](https://redirect.github.com/gruntjs/grunt/commit/e789b1f) ### [`v1.2.0`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.2.0) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.1.0...v1.2.0) - Allow usage of grunt plugins that are located in any location that is visible to Node.js and NPM, instead of node_modules directly inside package that have a dev dependency to these plugin[https://github.com/gruntjs/grunt/pull/1677](https://redirect.github.com/gruntjs/grunt/pull/1677)nt/pull/1677) - Removed coffeescript from dependencies. To ease transition, if coffeescript is still around, Grunt will attempt to load it. If it is not, and the user loads a CoffeeScript file, Grunt will print a useful error indicating that the coffeescript package should be installed as a dev dependency. This is considerably more user-friendly than dropping the require entirely, but doing so is feasible with the latest grunt-cli as users may simply use grunt --require [https://github.com/gruntjs/grunt/pull/1675](https://redirect.github.com/gruntjs/grunt/pull/1675)thub.com/gruntjs/grunt/pull/1675) - Exposes Grunt Option keys for ease of use. ([https://github.com/gruntjs/grunt/pull/1570](https://redirect.github.com/gruntjs/grunt/pull/1570)1570) - Avoiding infinite loop on very long command names. ([https://github.com/gruntjs/grunt/pull/1697](https://redirect.github.com/gruntjs/grunt/pull/1697)1697) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Asia/Bangkok, Automerge - "0 */6 * * *" in timezone Asia/Bangkok. 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/davidsneighbour/hugo-modules). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
6 participants
allow usage of grunt plugins that are located in any location that
is visible to Node.js and NPM, instead of
node_modulesdirectlyinside package that have a dev dependency to these plugins.
Fix #1676.