I've been using Gulp for a while now and recently I noticed that there are security warnings when I install or update packages. I run the audit and get a lot of information but I'm not sure if this is in particular to use in a production server or if it also applies to a local server.
I've also tried using gulp 4 and it seems fine but I was just curious on the 3.9.1 version since there are still some differences.
I guess the short question is gulp 3.9.1 safe to use on a local environment or does it create a security issue?
I would say it's safe. Here are my thoughts on the reported vulnerabilities:
There are 4 High vulnerabilities of type
Regular Expression Denial of Servicefor the minimatch module. These are mostly related to user input, Gulp is just a build tool, I don't see how it could be affected by thisLow vulnerability of type
Prototype Pollutionfor the lodash module. I can't say for sure, but you might be affected by this if you load some unknown external modules in your build, otherwise you would be fine.In any case, updating to Gulp 4 should remove all doubts.