From 269c8baa33e2fd6a96cbd86fbf758af748dadb9c Mon Sep 17 00:00:00 2001
From: Aaron Jorbin <jorbin@git.wordpress.org>
Date: Sat, 5 Oct 2019 13:47:52 +0000
Subject: [PATCH] Build/Test Tools: Fork and Update `grunt-replace`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The version of grunt replace that is bundled in core is using an outdated version of lodash that is bringing 2 low, 3 high, and 1 critical issue. This package is currently abandoned. There is a community forked version, but that is also harboring some similar security issues.

This switches to a fork by @whyisjake and causes no change to the build.

See #48203.
Fixes #48217.
Props whyisjake, netweb for testing.



git-svn-id: https://develop.svn.wordpress.org/trunk@46403 602fd350-edb4-49c9-b593-d223f7449a82
---
 package-lock.json | 66 +++++++++++++++++++++--------------------------
 package.json      |  2 +-
 2 files changed, 30 insertions(+), 38 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 3c1af9d7dd..4ce18a2d8f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3469,25 +3469,6 @@
 				}
 			}
 		},
-		"applause": {
-			"version": "1.2.2",
-			"resolved": "https://registry.npmjs.org/applause/-/applause-1.2.2.tgz",
-			"integrity": "sha1-qEaFeegfZzl7tWNMKZU77c0PVsA=",
-			"dev": true,
-			"requires": {
-				"cson-parser": "^1.1.0",
-				"js-yaml": "^3.3.0",
-				"lodash": "^3.10.0"
-			},
-			"dependencies": {
-				"lodash": {
-					"version": "3.10.1",
-					"resolved": "https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz",
-					"integrity": "sha1-W/Rejkm6QYnhfUgnid/RW9FAt7Y=",
-					"dev": true
-				}
-			}
-		},
 		"aproba": {
 			"version": "1.2.0",
 			"resolved": "https://registry.npmjs.org/aproba/-/aproba-1.2.0.tgz",
@@ -3506,7 +3487,7 @@
 			"dependencies": {
 				"file-type": {
 					"version": "3.9.0",
-					"resolved": "http://registry.npmjs.org/file-type/-/file-type-3.9.0.tgz",
+					"resolved": "https://registry.npmjs.org/file-type/-/file-type-3.9.0.tgz",
 					"integrity": "sha1-JXoHg4TR24CHvESdEH1SpSZyuek=",
 					"dev": true,
 					"optional": true
@@ -4669,7 +4650,7 @@
 				},
 				"uuid": {
 					"version": "2.0.3",
-					"resolved": "http://registry.npmjs.org/uuid/-/uuid-2.0.3.tgz",
+					"resolved": "https://registry.npmjs.org/uuid/-/uuid-2.0.3.tgz",
 					"integrity": "sha1-Z+LoY3lyFVMN/zGOW/nc6/1Hsho=",
 					"dev": true,
 					"optional": true
@@ -4758,7 +4739,7 @@
 		},
 		"bl": {
 			"version": "1.2.2",
-			"resolved": "http://registry.npmjs.org/bl/-/bl-1.2.2.tgz",
+			"resolved": "https://registry.npmjs.org/bl/-/bl-1.2.2.tgz",
 			"integrity": "sha512-e8tQYnZodmebYDWGH7KMRvtzKXaJHx3BbilrgZCfvyLUYdKpK1t5PSPmpkny/SgiTSCnjfLW7v5rlONXVFkQEA==",
 			"dev": true,
 			"optional": true,
@@ -4944,7 +4925,7 @@
 		},
 		"browserify-aes": {
 			"version": "1.2.0",
-			"resolved": "http://registry.npmjs.org/browserify-aes/-/browserify-aes-1.2.0.tgz",
+			"resolved": "https://registry.npmjs.org/browserify-aes/-/browserify-aes-1.2.0.tgz",
 			"integrity": "sha512-+7CHXqGuspUn/Sl5aO7Ea0xWGAtETPXNSAjHo48JfLdPWcMng33Xe4znFvQweqc/uzk5zSOI3H52CYnjCfb5hA==",
 			"dev": true,
 			"requires": {
@@ -5096,14 +5077,14 @@
 			"dependencies": {
 				"file-type": {
 					"version": "3.9.0",
-					"resolved": "http://registry.npmjs.org/file-type/-/file-type-3.9.0.tgz",
+					"resolved": "https://registry.npmjs.org/file-type/-/file-type-3.9.0.tgz",
 					"integrity": "sha1-JXoHg4TR24CHvESdEH1SpSZyuek=",
 					"dev": true,
 					"optional": true
 				},
 				"uuid": {
 					"version": "2.0.3",
-					"resolved": "http://registry.npmjs.org/uuid/-/uuid-2.0.3.tgz",
+					"resolved": "https://registry.npmjs.org/uuid/-/uuid-2.0.3.tgz",
 					"integrity": "sha1-Z+LoY3lyFVMN/zGOW/nc6/1Hsho=",
 					"dev": true,
 					"optional": true
@@ -6011,7 +5992,7 @@
 			"dependencies": {
 				"cacache": {
 					"version": "10.0.4",
-					"resolved": "http://registry.npmjs.org/cacache/-/cacache-10.0.4.tgz",
+					"resolved": "https://registry.npmjs.org/cacache/-/cacache-10.0.4.tgz",
 					"integrity": "sha512-Dph0MzuH+rTQzGPNT9fAnrPmMmjKfST6trxJeK7NQuHRaVw24VzPRWTmg9MpcwOVQZO0E1FBICUlFeNaKPIfHA==",
 					"dev": true,
 					"requires": {
@@ -7475,7 +7456,7 @@
 		},
 		"duplexer": {
 			"version": "0.1.1",
-			"resolved": "http://registry.npmjs.org/duplexer/-/duplexer-0.1.1.tgz",
+			"resolved": "https://registry.npmjs.org/duplexer/-/duplexer-0.1.1.tgz",
 			"integrity": "sha1-rOb/gIwc5mtX0ev5eXessCM0z8E=",
 			"dev": true
 		},
@@ -10759,7 +10740,7 @@
 			"dependencies": {
 				"async": {
 					"version": "0.2.10",
-					"resolved": "http://registry.npmjs.org/async/-/async-0.2.10.tgz",
+					"resolved": "https://registry.npmjs.org/async/-/async-0.2.10.tgz",
 					"integrity": "sha1-trvgsGdLnXGXCMo43owjfLUmw9E=",
 					"dev": true
 				},
@@ -10919,7 +10900,7 @@
 				},
 				"uglify-js": {
 					"version": "2.7.5",
-					"resolved": "http://registry.npmjs.org/uglify-js/-/uglify-js-2.7.5.tgz",
+					"resolved": "https://registry.npmjs.org/uglify-js/-/uglify-js-2.7.5.tgz",
 					"integrity": "sha1-RhLAx7qu4rp8SH3kkErhIgefLKg=",
 					"dev": true,
 					"requires": {
@@ -10931,7 +10912,7 @@
 				},
 				"yargs": {
 					"version": "3.10.0",
-					"resolved": "http://registry.npmjs.org/yargs/-/yargs-3.10.0.tgz",
+					"resolved": "https://registry.npmjs.org/yargs/-/yargs-3.10.0.tgz",
 					"integrity": "sha1-9+572FfdfB0tOMDnTvvWgdFDH9E=",
 					"dev": true,
 					"requires": {
@@ -11267,16 +11248,16 @@
 				}
 			}
 		},
-		"grunt-replace": {
-			"version": "1.0.1",
-			"resolved": "https://registry.npmjs.org/grunt-replace/-/grunt-replace-1.0.1.tgz",
-			"integrity": "sha1-kKeVMvuJBB/kJ8h9QlI4sPiGZRo=",
+		"grunt-replace-lts": {
+			"version": "1.1.0",
+			"resolved": "https://registry.npmjs.org/grunt-replace-lts/-/grunt-replace-lts-1.1.0.tgz",
+			"integrity": "sha512-YCLFHDM7/mEb+7tzdstb756ZYEUTSiyiEj5XhfLIxmVrDKShXQ8STD9f0s7HZXwwHwxFgPr4zELSP7J3kYra7w==",
 			"dev": true,
 			"requires": {
-				"applause": "1.2.2",
 				"chalk": "^1.1.0",
 				"file-sync-cmp": "^0.1.0",
-				"lodash": "^4.11.0"
+				"lodash": "^4.17.15",
+				"next-applause": "^2.2.4"
 			}
 		},
 		"grunt-rtlcss": {
@@ -15869,6 +15850,17 @@
 			"integrity": "sha512-iyam8fBuCUpWeKPGpaNMetEocMt364qkCsfL9JuhjXX6dRnguRVOfk2GZaDpPjcOKiiXCPINZC1GczQ7iTq3Zw==",
 			"dev": true
 		},
+		"next-applause": {
+			"version": "2.2.4",
+			"resolved": "https://registry.npmjs.org/next-applause/-/next-applause-2.2.4.tgz",
+			"integrity": "sha512-ktqjWT512q6vzAYnmRfJcqqVCA7ft8VcqkfBzgWuqI9SDSHM//B+hvjrGlkNzOzDMzljc3flok01t79OGkRVXQ==",
+			"dev": true,
+			"requires": {
+				"cson-parser": "^1.2.0",
+				"js-yaml": "^3.3.0",
+				"lodash": "^4.17.11"
+			}
+		},
 		"nice-try": {
 			"version": "1.0.5",
 			"resolved": "https://registry.npmjs.org/nice-try/-/nice-try-1.0.5.tgz",
@@ -16888,7 +16880,7 @@
 			"dependencies": {
 				"progress": {
 					"version": "1.1.8",
-					"resolved": "http://registry.npmjs.org/progress/-/progress-1.1.8.tgz",
+					"resolved": "https://registry.npmjs.org/progress/-/progress-1.1.8.tgz",
 					"integrity": "sha1-4mDHj2Fhzdmw5WzD4Khd4Xx6V74=",
 					"dev": true
 				}
diff --git a/package.json b/package.json
index 917e6f8f44..57f0c28ad7 100644
--- a/package.json
+++ b/package.json
@@ -41,7 +41,7 @@
 		"grunt-legacy-util": "^1.1.1",
 		"grunt-patch-wordpress": "~2.0.0",
 		"grunt-postcss": "~0.9.0",
-		"grunt-replace": "~1.0.1",
+		"grunt-replace-lts": "~1.1.0",
 		"grunt-rtlcss": "~2.0.1",
 		"grunt-sass": "~3.0.2",
 		"grunt-webpack": "^3.1.3",