chore(deps): update dependency gulp to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
gulp (source)	3.9.1 → 5.0.1

---

Release Notes

gulpjs/gulp (gulp)

v5.0.1

Compare Source

v5.0.0

Compare Source

We've tried to provide a high-level changelog for gulp v5 below, but it
doesn't contain all changes from the 60+ dependencies that we maintain.

Please see individual changelogs to drill down
into all changes that were made.

⚠ BREAKING CHANGES

• Drop support for Node.js <10.13
• Default stream encoding to UTF-8
• Standardized on anymatch library for globbing paths. All globs should work the same between src and watch now!
• Removed support for ordered globs. This aligns with the chokidar globbing implementation. If you need your globs to be ordered, you can use ordered-read-stream
• All globs and paths are normalized to unix-like filepaths
• Only allow JS variants for .gulp.* config files
• Removed support for alpha releases of v4 from gulp-cli
• Removed the --verify flag
• Renamed the --require flag to --preload to avoid conflicting with Node.js flags
• Removed many legacy and deprecated loaders
• Upgrade to chokidar v3
• Clone Vinyl objects with stream contents using teex, but no longer wait for all streams to flow before cloned streams will receive data
• Stop using process.umask() to make directories, instead falling back to Node's default mode
• Throw on non-function, non-string option coercers
• Drop support of Node.js snake_case flags
• Use a Symbol for attaching the gulplog namespace to the store
• Use a Symbol for attaching the gulplog store to the global
• Use sha256 to hash the v8flags cache into a filename

Features

• Streamlined the dependency tree
• Switch all streams implementation to Streamx
• Rewrote glob-stream to use a custom directory walk that relies on newer Node.js features and is more performant than old implementation
• Implement translation support for all CLI messages and all messages passing through gulplog
• Allow users to customize or remove the timestamp from their logs
• Upgraded gulplog to v2. Messages logged via v1 will also display a deprecated warning. Plugins should update to v2 as the community upgrades to gulp 5
• Added support for gulpile.cjs and gulpfile.mjs
• Add support for swc, esbuild, sucrase, and mdx loaders
• Provide an ESM export (#​2760) (b00de68)
• Support sourcemap handling on streaming Vinyl contents
• Support extends syntax for .gulp.* config file
• Allow overriding gulpfile and preloads via .gulp.* config file

Bug Fixes

• Resolve bugs related to symlinks on various platforms
• Resolved some reported ReDoS CVEs and improved performance in glob-parent
• Rework errors surfaced when encountering files or symlinks when trying to create directories
• Ensure watch allows japanese characters in globs (72668c6)
• Ensure watch does not trigger on negated globs (72668c6)
• Improve handling of BOM at the beginning of a stream
• Properly handle function coercer in array of option coercers
• Fork to-absolute-glob to:
  • Check negative patterns before trimming
  • Ensure glob-like characters are escaped in cwd & root options
  • Resolve ../ at the beginning of globs

Miscellaneous Chores

• Remove lazystream dependency
• Updated various stream test suites to test against Node.js core stream, readable-stream, and streamx
• Normalize repository, dropping node <10.13 support (#​2758) (72668c6)

Individual Changelogs

We created and maintain various projects that gulp depends upon. You can find their changelogs linked below:

• undertaker
• vinyl-fs
• glob-stream
• gulp-cli
• interpret
• glob-parent
• glob-watcher
• vinyl
• fs-mkdirp-stream
• lead
• vinyl-sourcemap
• to-through
• resolve-options
• remove-bom-stream
• value-or-function
• now-and-later
• @​gulpjs/to-absolute-glob
• fined
• mute-stdout
• semver-greatest-satisfied-range
• flagged-respawn
• rechoir
• gulplog
• glogg
• @​gulpjs/messages
• sparkles
• liftoff
• v8flags
• bach
• undertaker-registry
• async-settle
• last-run
• async-done
• replace-homedir

v4.0.2

Compare Source

Fix

• Bind src/dest/symlink to the gulp instance to support esm exports (5667666) - Ref standard-things/esm#797

Docs

• Add notes about esm support (4091bd3) - Closes #​2278
• Fix the Negative Globs section & examples (3c66d95) - Closes #​2297
• Remove next tag from recipes (1693a11) - Closes #​2277
• Add default task wrappers to Watching Files examples to make runnable (d916276) - Closes #​2322
• Fix syntax error in lastRun API docs (ea52a92) - Closes #​2315
• Fix typo in Explaining Globs (5d81f42) - Closes #​2326

Build

• Add node 12 to Travis & Azure (b4b5a68)

v4.0.1

Compare Source

Fix

• Temporary workaround for facebook/Docusaurus#257 (9f4a2e9) - Closes facebook/Docusaurus#257

Docs

• Fix error in ES2015 usage example (a4e8d48) - Closes #​2099 #​2100
• Add temporary notice for 4.0.0 vs 3.9.1 documentation (126423a) - Closes #​2121
• Improve recipe for empty glob array (45830cf) - Closes #​2122
• Reword standard to default (b065a13)
• Fix recipe typo (86acdea) - Closes #​2156
• Add front-matter to each file (d693e49) - Closes #​2109
• Rename "Getting Started" to "Quick Start" & update it (6a0fa00)
• Add "Creating Tasks" documentation (21b6962)
• Add "JavaScript and Gulpfiles" documentation (31adf07)
• Add "Working with Files" documentation (50fafc6)
• Add "Async Completion" documentation (ad8b568)
• Add "Explaining Globs" documentation (f8cafa0)
• Add "Using Plugins" documentation (233c3f9)
• Add "Watching Files" documentation (f3f2d9f)
• Add Table of Contents to "Getting Started" directory (a43caf2)
• Improve & fix parts of Getting Started (84b0234)
• Create and link-to a "docs missing" page for LINK_NEEDED references (2bd75d0)
• Redirect users to new Getting Started guides (53e9727)
• Temporarily reference gulp@​next in Quick Start (2cecf1e)
• Fixed a capitalization typo in a heading (3d051d8) - Closes #​2242
• Use h2 headers within Quick Start documentation (921312c) - Closes #​2241
• Fix for nested directories references (4c2b9a7)
• Add some more cleanup for Docusaurus (6a8fd8f)
• Temporarily point LINK_NEEDED references to documentation-missing.md (df7cdcb)
• API documentation improvements based on feedback (0a68710)
• Update API Table of Contents (d6dd438)
• Add API Concepts documentation (8dd3361)
• Add Vinyl.isCustomProp() documentation (40ee801)
• Add Vinyl.isVinyl() documentation (25a22bf)
• Add Vinyl documentation (fc09067)
• Update watch() documentation (69c22f0)
• Update tree() documentation (ebb9818)
• Update task() documentation (b636a9c)
• Update symlink() documentation (d580efa)
• Update src() documentation (d95b457)
• Update series() documentation (4169cb6)
• Update registry() documentation (d680487)
• Update parallel() documentation (dc3cba7)
• Update lastRun() documentation (363df21)
• Update dest() documentation (e447d81)
• Split API docs into separate markdown files (a3b8ce1)
• Fix hash link (af4bd51)
• Replace some links in Getting Started (c433c70)
• Remove temporary workaround for facebook/Docusaurus#257 (5c07954) - Closes facebook/Docusaurus#257
• Added code ticks to "null" where missing (cb67319) - Closes #​2243
• Fix broken link in lastRun (d35653e)
• Add front-matter to documentation-missing page (a553cfd)
• Improve grammar on Concepts (01cfcc5) - Closes #​2247
• Remove spaces around
  (c960c1d)
• Improve grammar in src (eb493a2) - Closes #​2248
• Fix formatting error (ca6ba35) - Closes #​2250
• Fix formatting of lastRun (8569f85) - Closes #​2251
• Add missing link in watch (e35bdac) - Closes #​2252
• Fix broken link in tasks (6d43750) - Closes #​2253
• Improve punctuation in tree (8e9fd70) - Closes #​2254
• Fix mistake in "Splitting a gulpfile" (96c353d) - Closes #​2255
• Remove front-matter from outdated pages (c5af6f1)
• Fix broken link in Table of Contents (c641369) - Closes #​2260
• Update the babel dependencies to install & configuration needed (7239cf1) - Closes #​2136
• Add "What's new in 4.0" section (75ea634) - Closes #​2089 #​2267
• Cleanup README for "latest" bump (24e202b) - Closes #​2268
• Revert "next" reference now that 4.0 is latest (ed27cbe)
• Add Azure Pipelines badge (f3f0548) - Closes #​2310
• Add note about transpilation to "Splitting a Gulpfile" section (53b9037) - Closes #​2311 #​2312
• Improve wording of file rename (88437f2) - Closes #​2314

Upgrade

• Update glob-watcher, gulp-cli, and undertaker dependencies & rimraf devDep (d3734d3)

Build

• Add node 10 to CI matrices (a5eac1c)
• Remove jscs & update eslint for code formatting rules (ad8a2f7)
• Fix Azure comment (34a6d53) - Closes #​2307
• Add Azure Pipelines CI (b2c6c7e) - Closes #​2299

Scaffold

• Mark *.png and *.jpg as binary files to git (a010db6)
• Update some links and license year (1027236)
• Add tidelift configuration (49b5aca)
• Add new expense policy (9819957)
• Add support-bot template (9078c49)

v4.0.0

Compare Source

Task system changes

• replaced 3.x task system (orchestrator) with new task system (bach)
  • removed gulp.reset
  • removed 3 argument syntax for gulp.task
  • gulp.task should only be used when you will call the task with the CLI
  • added gulp.series and gulp.parallel methods for composing tasks. Everything must use these now.
  • added single argument syntax for gulp.task which allows a named function to be used as the name of the task and task function.
  • added gulp.tree method for retrieving the task tree. Pass { deep: true } for an archy compatible node list.
  • added gulp.registry for setting custom registries.

CLI changes

• split CLI out into a module if you want to save bandwidth/disk space. you can install the gulp CLI using either npm install gulp -g or npm install gulp-cli -g, where gulp-cli is the smaller one (no module code included)
• add --tasks-json flag to CLI to dump the whole tree out for other tools to consume
• added --verify flag to check the dependencies in package.json against the plugin blacklist.

vinyl/vinyl-fs changes

• added gulp.symlink which functions exactly like gulp.dest, but symlinks instead.
• added dirMode param to gulp.dest and gulp.symlink which allows better control over the mode of the destination folder that is created.
• globs passed to gulp.src will be evaluated in order, which means this is possible gulp.src(['*.js', '!b*.js', 'bad.js']) (exclude every JS file that starts with a b except bad.js)
• performance for gulp.src has improved massively
  • gulp.src(['**/*', '!b.js']) will no longer eat CPU since negations happen during walking now
• added since option to gulp.src which lets you only match files that have been modified since a certain date (for incremental builds)
• fixed gulp.src not following symlinks
• added overwrite option to gulp.dest which allows you to enable or disable overwriting of existing files

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	gulp@​3.9.1 ⏵ 5.0.1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Warn		merge-deep@1.0.3 has a Critical CVE. CVE: GHSA-r6rj-9ch6-g264 Prototype pollution in Merge-deep (CRITICAL) Affected versions: < 3.0.3 Patched version: 3.0.3 From: ? → npm/merge-deep@1.0.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/merge-deep@1.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		set-value@0.2.0 has a Critical CVE. CVE: GHSA-4g88-fppr-53pp Prototype Pollution in set-value (CRITICAL) Affected versions: = 3.0.0; < 2.0.1; >= 3.0.0 < 3.0.1 Patched version: 2.0.1 From: ? → npm/set-value@0.2.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/set-value@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report