Page MenuHomePhabricator
Create Task
Maniphest T237415

Vulnerable and outdated npm packages used by MachineVision
Closed, ResolvedPublic
Actions

Description

Follow-up from the security readiness review (T227346). Several npm packages were identified as vulnerable or outdated. We should investigate each and either remediate the problem (i.e., upgrade) or document why that's not possible and when it will be.

Vulnerable Packages
As reported by npm audit and retirejs:

  1. jquery 3.3.1, prototype pollution
    • dependency of wikimedia/mw-node-qunit
    • https://nodesecurity.io/advisories/796
    • Affected files (post npm install):
      • node_modules/jquery/dist/jquery.js
      • node_modules/jquery/dist/jquery.min.js
      • node_modules/jquery/dist/jquery.slim.js
      • node_modules/jquery/dist/jquery.slim.min.js
      • node_modules/jquery/package.json

Outdated Packages
As reported via npm outdated:

No explicit vulnerabilities reported, simply noting for completeness' sake.

PackageCurrentWantedLatest
@ wikimedia/mw-node-qunit6.0.0gitgit
eslint-config-wikimedia0.12.00.12.00.15.0
grunt-banana-checker0.7.00.7.00.8.1
grunt-eslint21.0.021.0.022.0.0
grunt-stylelint0.11.10.11.10.12.0
oojs2.2.22.2.23.0.0
stylelint9.10.19.10.111.1.1
stylelint-config-wikimedia0.6.00.6.00.7.0

Details

SubjectRepoBranchLines +/-
Bump mw-node-qunit to 6.1.1mediawiki/extensions/MachineVisionmaster+58 -63
build: Upgrade devDependencies to latestmediawiki/extensions/MachineVisionmaster+750 -700
Customize query in gerrit

Related Objects

Event Timeline

Mholloway created this task.Nov 5 2019, 2:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2019, 2:53 PM
Mholloway renamed this task from Vulnerable and outdated npm packages to Vulnerable and outdated npm packages used by MachineVision.Nov 5 2019, 2:53 PM
Mholloway mentioned this in T227346: Security readiness review for the MachineVision extension.Nov 5 2019, 3:15 PM
Jdforrester-WMF subscribed.Nov 5 2019, 6:55 PM

You should not upgrade local copies of jQuery in an extension until MW's upgrade has happened. See T233027: Upgrade MW's version of jQuery from 3.3.x to 3.4.x.

JoeWalsh triaged this task as Low priority.Nov 6 2019, 4:36 PM
JoeWalsh moved this task from Needs triage to Backlog on the Product-Infrastructure-Team-Backlog-Deprecated board.
Mholloway moved this task from Backlog to Ready for dev on the MachineVision board.Nov 18 2019, 5:17 PM
Mholloway moved this task from Ready for dev to Backlog on the MachineVision board.
Mholloway added a comment.Nov 22 2019, 11:19 PM

@Jdforrester-WMF Are any/all of the above packages handled by Libraryupgrader?

Jdforrester-WMF added a comment.Nov 22 2019, 11:28 PM
In T237415#5685986, @Mholloway wrote:

@Jdforrester-WMF Are any/all of the above packages handled by Libraryupgrader?

All of the dev dependencies are, but I can do it trivially for you if you want.

gerritbot added a comment.Nov 22 2019, 11:33 PM

Change 552605 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[mediawiki/extensions/MachineVision@master] build: Upgrade devDependencies to latest

https://gerrit.wikimedia.org/r/552605

gerritbot added a project: Patch-For-Review.Nov 22 2019, 11:33 PM
gerritbot added a comment.Nov 25 2019, 6:43 PM

Change 552605 merged by jenkins-bot:
[mediawiki/extensions/MachineVision@master] build: Upgrade devDependencies to latest

https://gerrit.wikimedia.org/r/552605

Mholloway added a comment.Nov 25 2019, 7:42 PM

Thanks for the patches, @Jdforrester-WMF!

I'll leave this open for now since JQuery is still at 3.3.1 via mw-node-qunit.

Jdforrester-WMF added a comment.Nov 25 2019, 7:43 PM
In T237415#5691064, @Mholloway wrote:

Thanks for the patches, @Jdforrester-WMF!

I'll leave this open for now since JQuery is still at 3.3.1 via mw-node-qunit.

Is the Web team planning to fix that in a separate task?

Maintenance_bot removed a project: Patch-For-Review.Nov 26 2019, 11:59 AM
gerritbot added a comment.Nov 27 2019, 8:18 PM

Change 553408 had a related patch set uploaded (by Mholloway; owner: Michael Holloway):
[mediawiki/extensions/MachineVision@master] Bump mw-node-qunit to 6.1.1

https://gerrit.wikimedia.org/r/553408

gerritbot added a project: Patch-For-Review.Nov 27 2019, 8:18 PM
Mholloway added a comment.Nov 27 2019, 8:20 PM

@Jdforrester-WMF I just went ahead and updated it.

gerritbot added a comment.Nov 27 2019, 9:16 PM

Change 553408 merged by jenkins-bot:
[mediawiki/extensions/MachineVision@master] Bump mw-node-qunit to 6.1.1

https://gerrit.wikimedia.org/r/553408

Mholloway closed this task as Resolved.Nov 27 2019, 9:22 PM
Mholloway claimed this task.
ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.10; 2019-12-10).Nov 27 2019, 10:00 PM
Maintenance_bot removed a project: Patch-For-Review.Nov 27 2019, 10:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL