- Update grunt to 1.0.3, addressing security issues:
- https://npmjs.com/advisories/577
- CVE-2018-3721
I have problems to regenerate package-lock.json
I have problems to regenerate package-lock.json
Thanks for bringing this up! We decided to postpone the fix for AdvancedSearch to next year, since the we use the vulnerable component (grunt) only for running the continous integration checks, where the risk of code injection is quite low.
Change 470525 had a related patch set uploaded (by Tim Eulitz; owner: Tim Eulitz):
[mediawiki/extensions/AdvancedSearch@master] Update npm dev dependencies
Change 470527 had a related patch set uploaded (by Tim Eulitz; owner: Tim Eulitz):
[mediawiki/extensions/WikibaseQualityConstraints@master] Update npm packages and fix minor styling issues
I have problems to regenerate package-lock.json
I was curious about why you would potentially have issues regenerating the package lock file so I quickly tried it myself and it worked fine, so I just created a patch really quickly and also took the opportunity to update some other packages (#SorryNotSorry @gabriel-wmde 😄).
And then I noticed that you tagged two projects here so I went ahead and also created a patch for Wikibase-Quality-Constraints while I was at it.
I don't think this is an acceptable response. It's not just CI, it's also developer's laptops, which are an extremely high value target. While this vulnerability might be pretty minor, it's important to keep the security issues green, so that when an actual high severity vulnerability is reported, we don't miss it by assuming there is always a vulnerability.
I don't think this is an acceptable response. It's not just CI, it's also developer's laptops, which are an extremely high value target. While this vulnerability might be pretty minor, it's important to keep the security issues green, so that when an actual high severity vulnerability is reported, we don't miss it by assuming there is always a vulnerability.
You're right. We were already in "OMG, the fundraising campaign is coming, drop everything you're doing" mode, which is not a good excuse to slack on security, but the reason why we initially decided on postponing the fix.
Change 470525 merged by jenkins-bot:
[mediawiki/extensions/AdvancedSearch@master] Update npm dev dependencies
Change 470527 merged by jenkins-bot:
[mediawiki/extensions/WikibaseQualityConstraints@master] Update npm deps & fix newly found styling issues