This tracker is for bug reports only.

Before opening an issue, please make sure you've checked the following:

• For support requests, please use Stack Overflow (stackoverflow.com) or Gitter (see the README).

• If the bug is in a plugin, open an issue on the plugin repository, not the gulp repository.

• If you're getting a deprecated module warning, don't worry about it: we're aware of it and it's not an issue. To make it go away, update to Gulp 4.0.

• If you're asking about the status of Gulp 4, please don't! You can see the remaining issues on the gulp4 label: https://github.com/gulpjs/gulp/issues?q=is%3Aissue+is%3Aopen+label%3Agulp4

---

What were you expecting to happen?

npm install to reveal no vulnerabilities

What actually happened?

npm detected 40+ Prototype Pollution Vulnerabilities due to Gulp. Gulp ^4.0.2 is top level [dev] dependency, multiple downstream Gulp dependencies rely on set-value (at depth 10+) which has the Prototype Pollution vulnerability, including gulp/gulp-cli.

Please post a sample of your gulpfile (preferably reduced to just the bit that's not working)

Builds run fine. Security issue.

What version of gulp are you using?

4.0.2 (latest)

What versions of npm and node are you using?

12.2.0/6.9.0