2019 May 10
Committed the WordPress 5.2 update (Build 299) and published Builds 298 and 299 to GitHub. When I checked in Build 299 to GitHub, it reported: remote: GitHub found 1 vulnerability on Fourmilab/ratburger.org's default branch (1 high). The URL they give you to view the alert does not work unless you're logged in to your GitHub account. Tracking it down, this is the vulnerability detected: .https://github.com/Fourmilab/ratburger.org/network/alert/wp-content/themes/twentynineteen/package-lock.json/tar/open which turns out to be in a file belonging to the "twentynineteen" theme which we don't use. The specific vulnerability is that in the list of dependencies for the theme they allow a version of NodeJS tar which has a remote file overwrite vulnerability. Well, after two attempts to patch the tar version in the file: wp-content/themes/twentynineteen/package-lock.json (Builds 300 and 301), I just added the pile of crap to ~/.gitignore. That did it (Build 302). Restored the original version of: wp-content/themes/twentynineteen/package-lock.json backing out my earlier futile changes to patch the tar problem. Even though the file is in .gitignore, Git marked it as a change and wanted me to commit it (Build 303). I published the change on GitHub. After two hours of wasted time, enormous frustration, and Builds 304 through 306, all in vain, I finally figured out that adding a file to .gitignore isn't sufficient to keep Git from looking at it, and GitHub gigging it for a vulnerability. After adding the file to .gitignore, you have to remove it from Git tracking with: git rm -r --cached wp-content/themes/twentynineteen/package-lock.json Note that this does not delete the local file; it just purges it from the Git repository. It will now show up as a "deleted" item in "git status". When you then commit the change (Build 307), it will be gone from the local repository. You can then "git sync" to publish on GitHub and the alert will go away. Now, I could finally restore the original: wp-content/themes/twentynineteen/package-lock.json from the 5.2 distribution, replacing the version I futilely tried to hack to make the alert go away. Since the theme isn't used, there's no functional reason to do this, but restoring the stock file will eliminate confusion as to where the changes came from when we next install an update to WordPress. Since the file has now been removed from the repository and added to .gitignore, the change was not tracked by Git and generated no Build number. From this experience, it appears the Microsoftisation of GitHub is well underway. Updated the repository mirror on Juno through Build 307. Updated the Subscribe to Comments Reloaded plug-in to version 190510. This is a minor update which adds a new option to allow subscriptions on regular posts but not Pages and custom post types. I left this at the default, which allows subscriptions on all kinds of what WordPress considers "posts", which is how it behaved before. They also increased the compatibility claim up to 5.2. We have no local code in this plug-in. I looked at the configuration page and everything looks all right. sThe Manage subscriptions page also looks as it should be. This is probably all right, but I'll let it run a few hours before committing the changes. Stopped the Ratburger Test instance. We're done with pre-release testing of WordPress 5.2 and the production server has already begun to diverge from the state of this system, so there's no reason to keep it running and pay the CPU costs it incurs. I'll detach and delete its /server volume in a day or two to economise on storage fees. Several hours later, there have been no apparent problems with the Subscribe to Comments Reloaded plug-in update so I committed the changes (Build 308) and published them on GitHub.