Bump gulp from 4.0.2 to 5.0.1

[dependabot]

Bumps gulp from 4.0.2 to 5.0.1.

Release notes

Sourced from gulp's releases.

gulp v5.0.1

Bug Fixes

• Avoid globbing before read stream is opened (#2839) (19122f3)
• Avoid Node.js deprecation warning for fs.Stats (#2838) (69a5d0e)
• Support top-level await on Node 22.12+ (#2836) (04b4a74)

gulp v5.0.0

We've tried to provide a high-level changelog for gulp v5 below, but it doesn't contain all changes from the 60+ dependencies that we maintain.

Please see individual changelogs to drill down into all changes that were made.

⚠ BREAKING CHANGES

• Drop support for Node.js <10.13
• Default stream encoding to UTF-8
• Standardized on anymatch library for globbing paths. All globs should work the same between src and watch now!
• Removed support for ordered globs. This aligns with the chokidar globbing implementation. If you need your globs to be ordered, you can use ordered-read-stream
• All globs and paths are normalized to unix-like filepaths
• Only allow JS variants for .gulp.* config files
• Removed support for alpha releases of v4 from gulp-cli
• Removed the --verify flag
• Renamed the --require flag to --preload to avoid conflicting with Node.js flags
• Removed many legacy and deprecated loaders
• Upgrade to chokidar v3
• Clone Vinyl objects with stream contents using teex, but no longer wait for all streams to flow before cloned streams will receive data
• Stop using process.umask() to make directories, instead falling back to Node's default mode
• Throw on non-function, non-string option coercers
• Drop support of Node.js snake_case flags
• Use a Symbol for attaching the gulplog namespace to the store
• Use a Symbol for attaching the gulplog store to the global
• Use sha256 to hash the v8flags cache into a filename

Features

• Streamlined the dependency tree
• Switch all streams implementation to Streamx
• Rewrote glob-stream to use a custom directory walk that relies on newer Node.js features and is more performant than old implementation
• Implement translation support for all CLI messages and all messages passing through gulplog
• Allow users to customize or remove the timestamp from their logs
• Upgraded gulplog to v2. Messages logged via v1 will also display a deprecated warning. Plugins should update to v2 as the community upgrades to gulp 5
• Added support for gulpile.cjs and gulpfile.mjs
• Add support for swc, esbuild, sucrase, and mdx loaders
• Provide an ESM export (#2760) (b00de68)
• Support sourcemap handling on streaming Vinyl contents

... (truncated)

Changelog

Sourced from gulp's changelog.

5.0.1 (2025-06-01)

Bug Fixes

• Avoid globbing before read stream is opened (#2839) (19122f3)
• Avoid Node.js deprecation warning for fs.Stats (#2838) (69a5d0e)
• Support top-level await on Node 22.12+ (#2836) (04b4a74)

5.0.0 (2024-03-29)

We've tried to provide a high-level changelog for gulp v5 below, but it doesn't contain all changes from the 60+ dependencies that we maintain.

Please see individual changelogs to drill down into all changes that were made.

⚠ BREAKING CHANGES

• Drop support for Node.js <10.13
• Default stream encoding to UTF-8
• Standardized on anymatch library for globbing paths. All globs should work the same between src and watch now!
• Removed support for ordered globs. This aligns with the chokidar globbing implementation. If you need your globs to be ordered, you can use ordered-read-stream
• All globs and paths are normalized to unix-like filepaths
• Only allow JS variants for .gulp.* config files
• Removed support for alpha releases of v4 from gulp-cli
• Removed the --verify flag
• Renamed the --require flag to --preload to avoid conflicting with Node.js flags
• Removed many legacy and deprecated loaders
• Upgrade to chokidar v3
• Clone Vinyl objects with stream contents using teex, but no longer wait for all streams to flow before cloned streams will receive data
• Stop using process.umask() to make directories, instead falling back to Node's default mode
• Throw on non-function, non-string option coercers
• Drop support of Node.js snake_case flags
• Use a Symbol for attaching the gulplog namespace to the store
• Use a Symbol for attaching the gulplog store to the global
• Use sha256 to hash the v8flags cache into a filename

Features

• Streamlined the dependency tree
• Switch all streams implementation to Streamx
• Rewrote glob-stream to use a custom directory walk that relies on newer Node.js features and is more performant than old implementation
• Implement translation support for all CLI messages and all messages passing through gulplog
• Allow users to customize or remove the timestamp from their logs
• Upgraded gulplog to v2. Messages logged via v1 will also display a deprecated warning. Plugins should update to v2 as the community upgrades to gulp 5
• Added support for gulpile.cjs and gulpfile.mjs
• Add support for swc, esbuild, sucrase, and mdx loaders
• Provide an ESM export (#2760) (b00de68)
• Support sourcemap handling on streaming Vinyl contents

... (truncated)

Commits

• 0003e9f chore: release 5.0.1 (#2837)
• 19122f3 fix: Avoid globbing before read stream is opened (#2839)
• 69a5d0e fix: Avoid Node.js deprecation warning for fs.Stats (#2838)
• 04b4a74 fix: Support top-level await on Node 22.12+ (#2836)
• c90e79e chore: Fix CI (#2835)
• 5412605 chore(docs): Update async completion document for newer RxJS (#2831)
• 2fa4981 chore: Update glob docs with replacement to ordered globs (#2788)
• fe9dee6 chore: Remove locale docs (#2787)
• a85eddb chore: Remove node-glob options from docs (#2786)
• 9c818e6 chore: update src.md docs to add encoding parameter
• Additional commits viewable in compare view

[greptile-apps]

Greptile Summary

This PR bumps gulp from 4.0.2 to 5.0.1, a major version upgrade with several breaking changes. While package.json and package-lock.json are correctly updated, the existing gulpfile.js has not been adapted for gulp 5's breaking changes, which will cause problems at runtime.

• Binary asset corruption: gulp 5 defaults gulp.src() to UTF-8 encoding. Tasks copying binary files (prod_copy_fonts, prod_copy_images, prod_pdf_viewer_files) need { encoding: false } to avoid silently corrupting fonts and images.
• Stream incompatibility: gulp 5 uses Streamx internally; streamqueue (used in prod_minify_js) targets classic Node.js streams and may hang or produce incomplete output.

Confidence Score: 3/5

Not safe to merge without updating gulpfile.js — binary assets will be corrupted and JS bundling may break.

Two P1 issues exist in gulpfile.js: the default UTF-8 encoding in gulp 5 will silently corrupt all copied binary files (fonts, images), and the streamqueue/Streamx incompatibility may break JS bundling. Neither issue is in the changed files (package.json / package-lock.json), but this upgrade cannot function correctly without corresponding gulpfile changes.

gulpfile.js — needs { encoding: false } on binary-asset gulp.src() calls, and streamqueue usage should be verified or replaced.

Important Files Changed

Filename	Overview
package.json	Bumps gulp from ^4.0.2 to ^5.0.1; the change itself is minimal but introduces breaking behavior in the gulpfile for binary asset handling and stream compatibility.
package-lock.json	Lock file updated by Dependabot to reflect gulp 5.0.1 and its updated transitive dependency tree (anymatch 3.x, new @gulpjs/to-absolute-glob, etc.); no anomalies in the lock file itself.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[gulp.src binary assets\nfonts / images / pdf viewer] -->|gulp 5 default: UTF-8 encoding| B{encoding: false?}
    B -- No --> C[Binary content decoded as UTF-8\nCorrupted output files]
    B -- Yes --> D[Binary content preserved\nCorrect output]

    E[prod_minify_js\nstreamqueue + gulp.src streams] -->|gulp 5: Streamx-based streams| F{streamqueue compatible?}
    F -- Uncertain --> G[Possible hang or\nmissing output]
    F -- Yes --> H[JS bundle produced correctly]

Loading

Comments Outside Diff (3)

1. gulpfile.js, line 105-116 (link)

   Binary files will be corrupted by default UTF-8 encoding in gulp 5

   gulp 5 changed the default encoding option for gulp.src() to 'utf8'. This means binary files — fonts (.eot, .woff, .ttf, .svg) and images (.png, .ico) — will be decoded as UTF-8 text and re-encoded on write, silently corrupting them. You need to pass { encoding: false } to gulp.src() for any task that reads binary assets.

   Affected tasks: prod_copy_fonts (line 105), prod_copy_images (line 111), and prod_pdf_viewer_files (line 147) at minimum.

   // Example fix for prod_copy_fonts:
   gulp.task('prod_copy_fonts', function () {
       return gulp.src('bower_components/bootstrap/fonts/*.*', { encoding: false })
           .pipe(gulp.dest('compair/static/fonts/'));
   });

2. gulpfile.js, line 136-145 (link)

   streamqueue may not be compatible with gulp 5's Streamx-based streams

   gulp 5 switched its internal streams implementation from Node.js streams to Streamx. The streamqueue package (v1.1.2) was designed for classic Node.js streams. Mixing Streamx-based gulp.src() streams with streamqueue can cause hangs or missing output at runtime, since Streamx streams are not fully duck-typed with Node.js Readable streams in all cases. Verify that streamqueue works correctly after upgrading, or replace it with gulp's built-in gulp.src() array/merge-stream approach.

3. gulpfile.js, line 239-243 (link)

   del.sync removed in newer del versions

   The del package v3 ("del": "^3.0.0") does expose .sync, but this is noted in the del changelog as a pattern to avoid. More importantly, if this dep is ever upgraded alongside this gulp bump, del v7+ removed .sync entirely. While this isn't broken today, the comment "use sync method, gulp doesn't seem to wait for async del" suggests a workaround that is no longer needed with gulp 4+ task-based async handling. Worth revisiting for forward compatibility.

_{Reviews (1): Last reviewed commit: "Bump gulp from 4.0.2 to 5.0.1" | Re-trigger Greptile}