Page MenuHomePhabricator

Track external JS libraries in MediaWiki in a way that allows vulnerability detection
Open, MediumPublic

Description

MediaWiki includes a bunch of third-party Javascript libraries in resources/lib (sometimes effectively forked, sometimes just copies of the originals), but there is no build process / package management, the files are just manually committed, which often makes it nontrivial to figure out which version we are using / have forked from, and prevents us from using an automatic vulnerability alert service (https://snyk.io/ snyk etc). We should probably fix that.