Skip to content

Bump gulp from 4.0.2 to 5.0.1#1091

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/gulp-5.0.1
Open

Bump gulp from 4.0.2 to 5.0.1#1091
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/gulp-5.0.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 29, 2026

Copy link
Copy Markdown
Contributor

Bumps gulp from 4.0.2 to 5.0.1.

Release notes

Sourced from gulp's releases.

gulp v5.0.1

Bug Fixes

  • Avoid globbing before read stream is opened (#2839) (19122f3)
  • Avoid Node.js deprecation warning for fs.Stats (#2838) (69a5d0e)
  • Support top-level await on Node 22.12+ (#2836) (04b4a74)

gulp v5.0.0

We've tried to provide a high-level changelog for gulp v5 below, but it doesn't contain all changes from the 60+ dependencies that we maintain.

Please see individual changelogs to drill down into all changes that were made.

⚠ BREAKING CHANGES

  • Drop support for Node.js <10.13
  • Default stream encoding to UTF-8
  • Standardized on anymatch library for globbing paths. All globs should work the same between src and watch now!
  • Removed support for ordered globs. This aligns with the chokidar globbing implementation. If you need your globs to be ordered, you can use ordered-read-stream
  • All globs and paths are normalized to unix-like filepaths
  • Only allow JS variants for .gulp.* config files
  • Removed support for alpha releases of v4 from gulp-cli
  • Removed the --verify flag
  • Renamed the --require flag to --preload to avoid conflicting with Node.js flags
  • Removed many legacy and deprecated loaders
  • Upgrade to chokidar v3
  • Clone Vinyl objects with stream contents using teex, but no longer wait for all streams to flow before cloned streams will receive data
  • Stop using process.umask() to make directories, instead falling back to Node's default mode
  • Throw on non-function, non-string option coercers
  • Drop support of Node.js snake_case flags
  • Use a Symbol for attaching the gulplog namespace to the store
  • Use a Symbol for attaching the gulplog store to the global
  • Use sha256 to hash the v8flags cache into a filename

Features

  • Streamlined the dependency tree
  • Switch all streams implementation to Streamx
  • Rewrote glob-stream to use a custom directory walk that relies on newer Node.js features and is more performant than old implementation
  • Implement translation support for all CLI messages and all messages passing through gulplog
  • Allow users to customize or remove the timestamp from their logs
  • Upgraded gulplog to v2. Messages logged via v1 will also display a deprecated warning. Plugins should update to v2 as the community upgrades to gulp 5
  • Added support for gulpile.cjs and gulpfile.mjs
  • Add support for swc, esbuild, sucrase, and mdx loaders
  • Provide an ESM export (#2760) (b00de68)
  • Support sourcemap handling on streaming Vinyl contents

... (truncated)

Changelog

Sourced from gulp's changelog.

5.0.1 (2025-06-01)

Bug Fixes

  • Avoid globbing before read stream is opened (#2839) (19122f3)
  • Avoid Node.js deprecation warning for fs.Stats (#2838) (69a5d0e)
  • Support top-level await on Node 22.12+ (#2836) (04b4a74)

5.0.0 (2024-03-29)

We've tried to provide a high-level changelog for gulp v5 below, but it doesn't contain all changes from the 60+ dependencies that we maintain.

Please see individual changelogs to drill down into all changes that were made.

⚠ BREAKING CHANGES

  • Drop support for Node.js <10.13
  • Default stream encoding to UTF-8
  • Standardized on anymatch library for globbing paths. All globs should work the same between src and watch now!
  • Removed support for ordered globs. This aligns with the chokidar globbing implementation. If you need your globs to be ordered, you can use ordered-read-stream
  • All globs and paths are normalized to unix-like filepaths
  • Only allow JS variants for .gulp.* config files
  • Removed support for alpha releases of v4 from gulp-cli
  • Removed the --verify flag
  • Renamed the --require flag to --preload to avoid conflicting with Node.js flags
  • Removed many legacy and deprecated loaders
  • Upgrade to chokidar v3
  • Clone Vinyl objects with stream contents using teex, but no longer wait for all streams to flow before cloned streams will receive data
  • Stop using process.umask() to make directories, instead falling back to Node's default mode
  • Throw on non-function, non-string option coercers
  • Drop support of Node.js snake_case flags
  • Use a Symbol for attaching the gulplog namespace to the store
  • Use a Symbol for attaching the gulplog store to the global
  • Use sha256 to hash the v8flags cache into a filename

Features

  • Streamlined the dependency tree
  • Switch all streams implementation to Streamx
  • Rewrote glob-stream to use a custom directory walk that relies on newer Node.js features and is more performant than old implementation
  • Implement translation support for all CLI messages and all messages passing through gulplog
  • Allow users to customize or remove the timestamp from their logs
  • Upgraded gulplog to v2. Messages logged via v1 will also display a deprecated warning. Plugins should update to v2 as the community upgrades to gulp 5
  • Added support for gulpile.cjs and gulpfile.mjs
  • Add support for swc, esbuild, sucrase, and mdx loaders
  • Provide an ESM export (#2760) (b00de68)
  • Support sourcemap handling on streaming Vinyl contents

... (truncated)

Commits

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 29, 2026
@greptile-apps

greptile-apps Bot commented Apr 29, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR bumps gulp from 4.0.2 to 5.0.1, a major version upgrade with several breaking changes. While package.json and package-lock.json are correctly updated, the existing gulpfile.js has not been adapted for gulp 5's breaking changes, which will cause problems at runtime.

  • Binary asset corruption: gulp 5 defaults gulp.src() to UTF-8 encoding. Tasks copying binary files (prod_copy_fonts, prod_copy_images, prod_pdf_viewer_files) need { encoding: false } to avoid silently corrupting fonts and images.
  • Stream incompatibility: gulp 5 uses Streamx internally; streamqueue (used in prod_minify_js) targets classic Node.js streams and may hang or produce incomplete output.

Confidence Score: 3/5

Not safe to merge without updating gulpfile.js — binary assets will be corrupted and JS bundling may break.

Two P1 issues exist in gulpfile.js: the default UTF-8 encoding in gulp 5 will silently corrupt all copied binary files (fonts, images), and the streamqueue/Streamx incompatibility may break JS bundling. Neither issue is in the changed files (package.json / package-lock.json), but this upgrade cannot function correctly without corresponding gulpfile changes.

gulpfile.js — needs { encoding: false } on binary-asset gulp.src() calls, and streamqueue usage should be verified or replaced.

Important Files Changed

Filename Overview
package.json Bumps gulp from ^4.0.2 to ^5.0.1; the change itself is minimal but introduces breaking behavior in the gulpfile for binary asset handling and stream compatibility.
package-lock.json Lock file updated by Dependabot to reflect gulp 5.0.1 and its updated transitive dependency tree (anymatch 3.x, new @gulpjs/to-absolute-glob, etc.); no anomalies in the lock file itself.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[gulp.src binary assets\nfonts / images / pdf viewer] -->|gulp 5 default: UTF-8 encoding| B{encoding: false?}
    B -- No --> C[Binary content decoded as UTF-8\nCorrupted output files]
    B -- Yes --> D[Binary content preserved\nCorrect output]

    E[prod_minify_js\nstreamqueue + gulp.src streams] -->|gulp 5: Streamx-based streams| F{streamqueue compatible?}
    F -- Uncertain --> G[Possible hang or\nmissing output]
    F -- Yes --> H[JS bundle produced correctly]
Loading

Comments Outside Diff (3)

  1. gulpfile.js, line 105-116 (link)

    P1 Binary files will be corrupted by default UTF-8 encoding in gulp 5

    gulp 5 changed the default encoding option for gulp.src() to 'utf8'. This means binary files — fonts (.eot, .woff, .ttf, .svg) and images (.png, .ico) — will be decoded as UTF-8 text and re-encoded on write, silently corrupting them. You need to pass { encoding: false } to gulp.src() for any task that reads binary assets.

    Affected tasks: prod_copy_fonts (line 105), prod_copy_images (line 111), and prod_pdf_viewer_files (line 147) at minimum.

    // Example fix for prod_copy_fonts:
    gulp.task('prod_copy_fonts', function () {
        return gulp.src('bower_components/bootstrap/fonts/*.*', { encoding: false })
            .pipe(gulp.dest('compair/static/fonts/'));
    });
  2. gulpfile.js, line 136-145 (link)

    P1 streamqueue may not be compatible with gulp 5's Streamx-based streams

    gulp 5 switched its internal streams implementation from Node.js streams to Streamx. The streamqueue package (v1.1.2) was designed for classic Node.js streams. Mixing Streamx-based gulp.src() streams with streamqueue can cause hangs or missing output at runtime, since Streamx streams are not fully duck-typed with Node.js Readable streams in all cases. Verify that streamqueue works correctly after upgrading, or replace it with gulp's built-in gulp.src() array/merge-stream approach.

  3. gulpfile.js, line 239-243 (link)

    P2 del.sync removed in newer del versions

    The del package v3 ("del": "^3.0.0") does expose .sync, but this is noted in the del changelog as a pattern to avoid. More importantly, if this dep is ever upgraded alongside this gulp bump, del v7+ removed .sync entirely. While this isn't broken today, the comment "use sync method, gulp doesn't seem to wait for async del" suggests a workaround that is no longer needed with gulp 4+ task-based async handling. Worth revisiting for forward compatibility.

Reviews (1): Last reviewed commit: "Bump gulp from 4.0.2 to 5.0.1" | Re-trigger Greptile

Bumps [gulp](https://github.com/gulpjs/gulp) from 4.0.2 to 5.0.1.
- [Release notes](https://github.com/gulpjs/gulp/releases)
- [Changelog](https://github.com/gulpjs/gulp/blob/master/CHANGELOG.md)
- [Commits](gulpjs/gulp@v4.0.2...v5.0.1)

---
updated-dependencies:
- dependency-name: gulp
  dependency-version: 5.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/gulp-5.0.1 branch from 7d50d2e to cd5c90d Compare April 29, 2026 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants