Page MenuHomePhabricator
Create Task
Maniphest T200374

Update indirect dependency on github.com/gwicke/kad.git
Open, LowPublic
Actions

Description

The limitation rate-limiting module pulls in a fork of kadence from a git master located at github.com/gwicke/kad.git. This fork hasn't been updated in a while and has begun throwing deprecation warnings on npm install:

npm WARN deprecated kad-memstore@0.0.1: Please upgrade to @kadenceproject/kadence - See https://kadence.github.io
npm WARN deprecated kad-fs@0.0.4: Please upgrade to @kadenceproject/kadence - See https://kadence.github.io

This should be cleaned up and hopefully brought up to date.

Related Objects

Event Timeline

Mholloway created this task.Jul 25 2018, 9:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 25 2018, 9:55 PM
Mholloway renamed this task from Update indirect dependency on gwicke/kad.git to Update indirect dependency on github.com/gwicke/kad.git.Jul 25 2018, 9:56 PM
Mholloway updated the task description. (Show Details)
Mholloway updated the task description. (Show Details)Jul 26 2018, 3:27 AM
mobrovac triaged this task as Low priority.Jul 30 2018, 10:31 AM
mobrovac added a project: Services (later).
Pchelolo subscribed.Jul 30 2018, 8:38 PM

And transferred to wikimedia group.

I've been looking into this and the task ain't easy - the fork significantly diverged from the master, so rebasing it on top of a current master is challenging.

KartikMistry subscribed.Dec 4 2018, 5:47 AM
santhosh subscribed.Dec 4 2018, 5:47 AM

This is increasingly becoming a problem as npm audit is reporting more issues from the dependencies.

bearND subscribed.Dec 4 2018, 3:43 PM
mobrovac added a project: Platform Team Legacy (Later).Dec 20 2018, 12:07 PM
Pchelolo assigned this task to holger.knust.Jan 15 2019, 7:19 PM
Pchelolo raised the priority of this task from Low to Medium.

Given that lack of maintenance, the limiter has started causing real issues (see T212631), I'm raising the priority to 'Normal'

A bit more background:
The limitation library is a rate limiter based on DHT implementation called KAD. Historically, it was using Gabriels fork which was then transferred into the wikimedia org, but the fork has very significantly diverged from the upstream. Given that upstream API has changed, even the repos the fork is based on were deprecated, we should abandon the fork completely.

Ideally, we need to figure out the reasoning behind the 10 additional commits in the fork and attempt to use the upstream in the limitation library.
Additionally, we need to first reevaluate existing third-party libs - in the years that have passed since limitation was created the environment might have changed.

KartikMistry added a comment.Feb 22 2019, 7:14 AM

Update: Now npm audit shows 2 vulnerabilities from limitation.

bearND awarded a token.Apr 11 2019, 3:01 PM

If this takes longer I suggest just updating its dependencies.

Mholloway added a comment.May 15 2019, 8:41 PM

Can't any necessary rate limiting be handled by Varnish/Apache Traffic Server, at least in the WMF production context?

mobrovac subscribed.May 16 2019, 1:19 PM
In T200374#5185738, @Mholloway wrote:

Can't any necessary rate limiting be handled by Varnish/Apache Traffic Server, at least in the WMF production context?

We (as in the WMF) are trying to minimise the reliance on Varnish for anything that is not related to caching (routing, rate-limiting, etc), so this would go against that effort.

mobrovac added a comment.May 22 2019, 7:56 AM
In T200374#4974852, @KartikMistry wrote:

Update: Now npm audit shows 2 vulnerabilities from limitation.

Apologies for the hold-up. The dependencies have been updated, so now if you rm -rf node_modules && npm install, the vulnerabilities should no longer show. If you still use the deploy repo for your service (i.e. you are not on k8s), you should use --force when building the repo next time in order to pull in the updated dependencies.

mobrovac added a project: Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)).May 22 2019, 7:56 AM
WDoranWMF moved this task from Later to Mop Column on the Platform Team Legacy board.Jul 5 2019, 3:45 PM
WDoranWMF removed a project: Platform Team Legacy (Later).
CCicalese_WMF removed holger.knust as the assignee of this task.Oct 1 2019, 6:39 PM
CCicalese_WMF raised the priority of this task from Medium to High.
CCicalese_WMF edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)).
CCicalese_WMF moved this task from Inbox to Ready (WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.
CCicalese_WMF added a subscriber: holger.knust.
Pchelolo added a comment.Oct 1 2019, 6:45 PM

I'm raising the priority of this yet again cause the fork has completely diverged from the upstream and it's getting to the point when it's dependencies are not supported either, so we really need to switch away from the fork.

Mholloway added a comment.Oct 11 2019, 6:43 PM

I'm having another related problem. For some reason, lately, npm is sometimes not completely installing kad and its dependencies. In particular I'm finding that I frequently hit an error related to a missing colors module:

Error: Cannot find module 'colors/safe'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:582:15)
    at Function.Module._load (internal/modules/cjs/loader.js:508:25)
    at Module.require (internal/modules/cjs/loader.js:637:17)
    at require (internal/modules/cjs/helpers.js:22:18)
    at Object.<anonymous> (/home/mholloway/code/wikimedia/mobileapps/node_modules/limitation/node_modules/kad/lib/logger.js:3:14)
mobrovac mentioned this in T235437: RESTBase/RESTRouter/service-runner rate limiting plans.Oct 16 2019, 6:37 PM
holger.knust claimed this task.Oct 23 2019, 1:04 PM
holger.knust moved this task from Ready (WIP:5) to Doing(WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.
WDoranWMF lowered the priority of this task from High to Low.Nov 7 2019, 8:00 PM
WDoranWMF moved this task from Doing(WIP:5) to Backlog on the Platform Team Workboards (Clinic Duty Team) board.
AMooney edited projects, added Platform Engineering (Icebox); removed Platform Team Workboards (Clinic Duty Team).Mar 13 2020, 1:34 PM
Aklapper removed holger.knust as the assignee of this task.Oct 4 2021, 9:48 PM

Resetting deactivated assignee account.

Mholloway unsubscribed.Oct 4 2021, 10:31 PM
santhosh mentioned this in T298854: NPM "colors" and "faker" package vulnerability audit.Jan 11 2022, 11:01 AM
Legoktm added subscribers: WDoranWMF, Legoktm.Feb 2 2022, 4:33 AM

@WDoranWMF can you clarify why this was deprioritized to "low" given the problems it's causing elsewhere and previous comments at T200374#5538736 and T298854#7618747? service-runner is pretty critical to nearly all the services we run.

santhosh mentioned this in T309772: npm audit reports several security issues with Service runner.Jun 2 2022, 8:58 AM
Aklapper added projects: MediaWiki-Engineering, Technical-Debt.Dec 29 2023, 1:05 PM
Aklapper removed subscribers: holger.knust, mobrovac, bearND, Pchelolo.
Atieno moved this task from Inbox, needs triage to Backlog (revisit in the future) on the MediaWiki-Engineering board.Jan 10 2024, 1:59 PM
Atieno moved this task from Backlog (revisit in the future) to Needs Input (waiting) on the MediaWiki-Engineering board.
MSantos removed a project: MediaWiki-Engineering.Jan 24 2024, 2:23 PM
MSantos added subscribers: Nikerabbit, MSantos.

@Nikerabbit cxserver seems to be the only service apart from restbase using this according to codesearch. Since service-runner is unowned, I'll remove MediaWiki-Engineering but happy to discuss this if the change is important to you, please let me know.

akosiaris subscribed.Feb 20 2024, 12:06 PM
In T200374#9485174, @MSantos wrote:

@Nikerabbit cxserver seems to be the only service apart from restbase using this according to codesearch. Since service-runner is unowned, I'll remove MediaWiki-Engineering but happy to discuss this if the change is important to you, please let me know.

Not against removing this from cxserver, it wasn't working anyway in a kubernetes environment (where cxserver was deployed) since it is implementing a very simple discovery mechanism that is not a good fit for an environment with ephemeral workloads. In the pathological case, it leads to 1 isolated DHT per pod. I have removed support from the chart myself in 8499d5aa41796bd8bbc754be1041ffc27d877917 in fact.

However, I am worried about the Since service-runner is unowned statement. Has this been raised/communicated/discussed etc?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL