Page MenuHomePhabricator

Vulnerable and outdated npm packages used by MachineVision
Closed, ResolvedPublic

Description

Follow-up from the security readiness review (T227346). Several npm packages were identified as vulnerable or outdated. We should investigate each and either remediate the problem (i.e., upgrade) or document why that's not possible and when it will be.

Vulnerable Packages
As reported by npm audit and retirejs:

  1. jquery 3.3.1, prototype pollution
    • dependency of wikimedia/mw-node-qunit
    • https://nodesecurity.io/advisories/796
    • Affected files (post npm install):
      • node_modules/jquery/dist/jquery.js
      • node_modules/jquery/dist/jquery.min.js
      • node_modules/jquery/dist/jquery.slim.js
      • node_modules/jquery/dist/jquery.slim.min.js
      • node_modules/jquery/package.json

Outdated Packages
As reported via npm outdated:

No explicit vulnerabilities reported, simply noting for completeness' sake.

PackageCurrentWantedLatest
@ wikimedia/mw-node-qunit6.0.0gitgit
eslint-config-wikimedia0.12.00.12.00.15.0
grunt-banana-checker0.7.00.7.00.8.1
grunt-eslint21.0.021.0.022.0.0
grunt-stylelint0.11.10.11.10.12.0
oojs2.2.22.2.23.0.0
stylelint9.10.19.10.111.1.1
stylelint-config-wikimedia0.6.00.6.00.7.0

Details

Related Gerrit Patches:
mediawiki/extensions/MachineVision : masterBump mw-node-qunit to 6.1.1
mediawiki/extensions/MachineVision : masterbuild: Upgrade devDependencies to latest

Event Timeline

Mholloway created this task.Nov 5 2019, 2:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2019, 2:53 PM
Mholloway renamed this task from Vulnerable and outdated npm packages to Vulnerable and outdated npm packages used by MachineVision.Nov 5 2019, 2:53 PM

You should not upgrade local copies of jQuery in an extension until MW's upgrade has happened. See T233027: Upgrade MW's version of jQuery from 3.3.x to 3.4.x.

JoeWalsh triaged this task as Low priority.Nov 6 2019, 4:36 PM
Mholloway moved this task from Ready for dev to Backlog on the MachineVision board.

@Jdforrester-WMF Are any/all of the above packages handled by Libraryupgrader?

@Jdforrester-WMF Are any/all of the above packages handled by Libraryupgrader?

All of the dev dependencies are, but I can do it trivially for you if you want.

Change 552605 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[mediawiki/extensions/MachineVision@master] build: Upgrade devDependencies to latest

https://gerrit.wikimedia.org/r/552605

Change 552605 merged by jenkins-bot:
[mediawiki/extensions/MachineVision@master] build: Upgrade devDependencies to latest

https://gerrit.wikimedia.org/r/552605

Thanks for the patches, @Jdforrester-WMF!

I'll leave this open for now since JQuery is still at 3.3.1 via mw-node-qunit.

Thanks for the patches, @Jdforrester-WMF!
I'll leave this open for now since JQuery is still at 3.3.1 via mw-node-qunit.

Is the Web team planning to fix that in a separate task?

Change 553408 had a related patch set uploaded (by Mholloway; owner: Michael Holloway):
[mediawiki/extensions/MachineVision@master] Bump mw-node-qunit to 6.1.1

https://gerrit.wikimedia.org/r/553408

@Jdforrester-WMF I just went ahead and updated it.

Change 553408 merged by jenkins-bot:
[mediawiki/extensions/MachineVision@master] Bump mw-node-qunit to 6.1.1

https://gerrit.wikimedia.org/r/553408

Mholloway closed this task as Resolved.Nov 27 2019, 9:22 PM
Mholloway claimed this task.