Page MenuHomePhabricator
Create Task
Maniphest T207988

Update grunt to 1.0.3 for AdvancedSearch and WikibaseQualityConstraints
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

I have problems to regenerate package-lock.json

Details

SubjectRepoBranchLines +/-
Update npm deps & fix newly found styling issuesmediawiki/extensions/WikibaseQualityConstraintsmaster+3 K -1 K
Update npm dev dependenciesmediawiki/extensions/AdvancedSearchmaster+2 K -1 K
Customize query in gerrit

Related Objects

Event Timeline

Umherirrender created this task.Oct 25 2018, 8:27 PM
Restricted Application added projects: Wikidata, TCB-Team (now WMDE-TechWish). · View Herald TranscriptOct 25 2018, 8:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Umherirrender updated the task description. (Show Details)Oct 26 2018, 3:19 PM
gabriel-wmde subscribed.Oct 29 2018, 4:13 PM

Thanks for bringing this up! We decided to postpone the fix for AdvancedSearch to next year, since the we use the vulnerable component (grunt) only for running the continous integration checks, where the risk of code injection is quite low.

gerritbot subscribed.Oct 30 2018, 12:01 AM

Change 470525 had a related patch set uploaded (by Tim Eulitz; owner: Tim Eulitz):
[mediawiki/extensions/AdvancedSearch@master] Update npm dev dependencies

https://gerrit.wikimedia.org/r/470525

gerritbot added a project: Patch-For-Review.Oct 30 2018, 12:01 AM
Tim_WMDE mentioned this in rEASR6fca68d0968d: Update npm dev dependencies.Oct 30 2018, 12:02 AM
Tim_WMDE mentioned this in rEASR415aac646063: Update npm dev dependencies.Oct 30 2018, 12:14 AM
gerritbot added a comment.Oct 30 2018, 12:22 AM

Change 470527 had a related patch set uploaded (by Tim Eulitz; owner: Tim Eulitz):
[mediawiki/extensions/WikibaseQualityConstraints@master] Update npm packages and fix minor styling issues

https://gerrit.wikimedia.org/r/470527

Tim_WMDE added a project: WMDE-FUN-Sprint-2018-10-29.Oct 30 2018, 12:28 AM
Tim_WMDE subscribed.

I have problems to regenerate package-lock.json

I was curious about why you would potentially have issues regenerating the package lock file so I quickly tried it myself and it worked fine, so I just created a patch really quickly and also took the opportunity to update some other packages (#SorryNotSorry @gabriel-wmde 😄).

And then I noticed that you tagged two projects here so I went ahead and also created a patch for Wikibase-Quality-Constraints while I was at it.

Tim_WMDE moved this task from Todo to Review on the WMDE-FUN-Sprint-2018-10-29 board.Oct 30 2018, 12:28 AM
Tim_WMDE set the point value for this task to 1.
Legoktm subscribed.Oct 30 2018, 2:05 AM
In T207988#4703344, @gabriel-wmde wrote:

Thanks for bringing this up! We decided to postpone the fix for AdvancedSearch to next year, since the we use the vulnerable component (grunt) only for running the continous integration checks, where the risk of code injection is quite low.

I don't think this is an acceptable response. It's not just CI, it's also developer's laptops, which are an extremely high value target. While this vulnerability might be pretty minor, it's important to keep the security issues green, so that when an actual high severity vulnerability is reported, we don't miss it by assuming there is always a vulnerability.

gabriel-wmde added a comment.Oct 30 2018, 9:39 AM

I don't think this is an acceptable response. It's not just CI, it's also developer's laptops, which are an extremely high value target. While this vulnerability might be pretty minor, it's important to keep the security issues green, so that when an actual high severity vulnerability is reported, we don't miss it by assuming there is always a vulnerability.

You're right. We were already in "OMG, the fundraising campaign is coming, drop everything you're doing" mode, which is not a good excuse to slack on security, but the reason why we initially decided on postponing the fix.

gerritbot added a comment.Oct 30 2018, 7:27 PM

Change 470525 merged by jenkins-bot:
[mediawiki/extensions/AdvancedSearch@master] Update npm dev dependencies

https://gerrit.wikimedia.org/r/470525

Tonina_Zhelyazkova_WMDE moved this task from Review to Done on the WMDE-FUN-Sprint-2018-10-29 board.Oct 31 2018, 10:46 AM
gerritbot added a comment.Oct 31 2018, 11:30 AM

Change 470527 merged by jenkins-bot:
[mediawiki/extensions/WikibaseQualityConstraints@master] Update npm deps & fix newly found styling issues

https://gerrit.wikimedia.org/r/470527

Lucas_Werkmeister_WMDE closed this task as Resolved.Oct 31 2018, 11:35 AM
Lucas_Werkmeister_WMDE claimed this task.
Lucas_Werkmeister_WMDE subscribed.

Both parts are done now, right?

Tim_WMDE added a comment.Oct 31 2018, 11:35 AM

Yeah, this ticket has nothing left to do, thanks.

Lea_WMDE moved this task from Backlog to In FUN sprint on the Advanced-Search board.Dec 4 2018, 9:03 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits