Page MenuHomePhabricator
Create Task
Maniphest T237479

Update the wikimedia-portals repo's CI/linting code for various security issues
Closed, ResolvedPublic
Actions

Description

None of them AFAICS are "actual" issues (we don't run that code anywhere near production), but the warnings go all the way up to critical (eslint-utils and handlebars) along with high (set-value, mixin-deep, lodash, lodash.merge, handlebars again, lodash again, js-yaml), moderate (4) and low (3).

Unfortunately I can't build master locally, so I can't fix it for you.

Details

SubjectRepoBranchLines +/-
build: Upgrade gulp to 4.x and make workwikimedia/portalsmaster+1 K -449
build: Upgrade everything to latestwikimedia/portalsmaster+1 K -1 K
build: Upgrade gulp-clean-css and gulp-load-plugins for security issueswikimedia/portalsmaster+104 -410
build: Upgrade postcss-import from ^8.0.2 to ^12.0.1wikimedia/portalsmaster+70 -1 K
build: Upgrade pngquant-bin from ^3.1.1 to ^5.0.2wikimedia/portalsmaster+925 -1 K
build: Upgrade various linters for npm audit concernswikimedia/portalsmaster+1 K -809
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 StalledNoneT302086 Set scap minimum python version to 3.7
 ResolvedNoneT247045 Migrate all of production metal and VMs to Buster or later
 ResolvedakosiarisT249724 Track and remove jessie based container images from production
 ResolvedJdforrester-WMFT224908 Drop jessie testing support
 ResolvedJdforrester-WMFT224907 Drop php55 testing support
 ResolvedReedyT205039 Release MediaWiki 1.27.6/1.30.2/1.31.2/1.32.2
 ResolvedReedyT205041 Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release
 ResolvedBawolffT197279 Direct POST to Special:ChangeEmail will bypass reauth check
 ResolvedAnomieT204729 Potential enwiki DOS due to slow WatchedItemStore::countVisitingWatchersMultiple
 ResolvedBawolffT207603 CVE-2019-12471: Loading JS from user space where the username is not a registered account is dangerous and should be banned
 ResolvedBawolffT208881 CSS using var() to create exponential sized calc() on wiki page will crash visitor's browser
 ResolvedLegoktmT199540 Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API
 ResolvedLucas_Werkmeister_WMDET212118 API responses for unpatrolled or (not) autopatrolled recent changes require privileges but may be cached publicly
 ResolvedBawolffT209794 Need to make a limit of count of attempts to change email address
 ResolvedsbassettT222036 Exposed suppressed username or log in Special:EditTags
 ResolvedsbassettT222038 Exposed suppressed log in RevisionDelete page
 ResolvedJdforrester-WMFT221739 Patch jQuery due to CVE-2019-11358
 ResolvedsbassettT25227 Use token when logging out
 ResolvedsbassettT221868 Send out wikitech-l post for T25227 ("Use token when logging out")
 ResolvedReedyT205042 Write and send release announcements for 1.27.6/1.30.2/1.31.2/1.32.2 security releases
 ResolvedReedyT205043 Write and send pre-release Announcements for MediaWiki 1.27.6/1.30.2/1.31.2/1.32.2
 ResolvedJdforrester-WMFT205044 Update onwiki release notes for 1.27.6/1.30.2/1.31.2/1.32.2
 ResolvedReedyT205046 Update HISTORY in master after 1.27.6/1.30.2/1.31.2/1.32.2
 ResolvedReedyT205047 Tag MW 1.27.6/1.30.2/1.31.2/1.32.2
 ResolvedReedyT224499 RELEASE-NOTES for 1.27.6/1.30.2/1.31.2/1.32.2
 ResolvedJdforrester-WMFT224912 Update MediaWiki.org links and versions
 ResolvedJdforrester-WMFT224913 EOL REL1_27 and REL1_30 onwiki
 ResolvedReedyT225201 Formally announce EOL of MW 1.27 and 1.30
 ResolvedReedyT225149 Update CVEs and publish them
 ResolvedReedyT205048 Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.2 security releases
 ResolvedJdforrester-WMFT224906 Drop php56 testing support
 ResolvedhasharT223348 Run wikimedia/fundraising/crm CI jobs on PHP7x, not PHP5x
 ResolvedhasharT210287 Migrate wikimedia-fundraising-civicrm to a Docker container
 ResolvedJdforrester-WMFT224905 Move wikiba.se tests from php56 to php72
 ResolvedhasharT224591 Migrate contint* hosts to Buster
 DeclinedMoritzMuehlenhoffT226236 Upload docker-ce 18.06.3 upstream package for Stretch
 InvalidthciprianiT239880 Replacement hardware for buster/stretch upgrade of contint1001 and contint2001
 Resolved mmodellT215458 Convert zuul to use scap
 ResolvedhasharT240551 Remove Zuul Debian package from WMCS instances
 ResolvedJoeT249110 Build and publish a python2 based container to build wheels
 ResolvedJMeybohmT249812 Rebuild helm/helm-diff for buster-wikimedia
 ResolvedJMeybohmT250479 Rebuild helmfile for buster-wikimedia
 DuplicateDzahnT210008 upgrade krypton (webserver_misc_apps) to stretch
 DeclinedDzahnT224194 switch webserver_misc_apps to PHP 7.2 (7.1)
 ResolvedJdforrester-WMFT211784 Upgrade all CI jobs from node6/npm3 to node10/npm6 across all projects
 ResolvedMoritzMuehlenhoffT241719 Migrate remaining self-hosted puppet masters to Puppet 5 / facter 3
 ResolvedJdforrester-WMFT236576 Move all Wikimedia CI (WMCS integration project) instances from jessie to stretch
 ResolvedthciprianiT216039 jenkins / zuul backing up due to jenkins slaves down
 ResolvedhasharT216244 Don't hardcode castor url in castor docker container
 ResolvedJdforrester-WMFT225031 On CI Jenkins, audit worker labels and remove unused ones
 ResolvedJdforrester-WMFT239981 Delete Jenkins label DebianJessie
 OpenNoneT238747 Migrate www.wikipedia.org (and other www portals) to be its own service
 ResolvedjeenaT213806 Migrate wikimedia-portals-build to Docker container
 ResolvedJdforrester-WMFT237479 Update the wikimedia-portals repo's CI/linting code for various security issues

Event Timeline

Jdforrester-WMF created this task.Nov 5 2019, 10:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2019, 10:43 PM
MarcoAurelio subscribed.Nov 5 2019, 10:54 PM
gerritbot added a comment.Nov 5 2019, 11:32 PM

Change 548933 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] build: Upgrade various linters for npm audit concerns

https://gerrit.wikimedia.org/r/548933

gerritbot added a project: Patch-For-Review.Nov 5 2019, 11:32 PM

Change 548935 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] [WIP] build: Upgrade all the gulp modules to latest

https://gerrit.wikimedia.org/r/548935

gerritbot added a comment.Nov 14 2019, 12:54 PM

Change 548933 merged by jenkins-bot:
[wikimedia/portals@master] build: Upgrade various linters for npm audit concerns

https://gerrit.wikimedia.org/r/548933

Jdforrester-WMF mentioned this in T243792: Upgrade dev dependencies of repositiory wikimedia/portals.Jan 28 2020, 4:00 PM
Jdforrester-WMF added subtasks: T213806: Migrate wikimedia-portals-build to Docker container, T238747: Migrate www.wikipedia.org (and other www portals) to be its own service.
Jdforrester-WMF added a project: Release-Engineering-Team-TODO.
Jdforrester-WMF merged a task: T243792: Upgrade dev dependencies of repositiory wikimedia/portals.
Jdforrester-WMF added a subscriber: Umherirrender.
gerritbot added a comment.Feb 7 2020, 1:56 AM

Change 570767 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] build: Upgrade all npm audit issues we can

https://gerrit.wikimedia.org/r/570767

gerritbot added a comment.Feb 21 2020, 7:48 PM

Change 574068 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] build: Upgrade pngquant-bin from ^3.1.1 to ^5.0.2

https://gerrit.wikimedia.org/r/574068

gerritbot added a comment.Feb 21 2020, 7:48 PM

Change 574069 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] build: Upgrade postcss-import from ^8.0.2 to ^12.0.1

https://gerrit.wikimedia.org/r/574069

gerritbot added a comment.Feb 21 2020, 7:48 PM

Change 574070 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] build: Upgrade gulp to 4.x and make work

https://gerrit.wikimedia.org/r/574070

gerritbot added a comment.Feb 26 2020, 10:00 AM

Change 574068 merged by jenkins-bot:
[wikimedia/portals@master] build: Upgrade pngquant-bin from ^3.1.1 to ^5.0.2

https://gerrit.wikimedia.org/r/574068

gerritbot added a comment.Feb 26 2020, 10:02 AM

Change 574069 merged by jenkins-bot:
[wikimedia/portals@master] build: Upgrade postcss-import from ^8.0.2 to ^12.0.1

https://gerrit.wikimedia.org/r/574069

Jdforrester-WMF removed a subtask: T213806: Migrate wikimedia-portals-build to Docker container.Feb 26 2020, 6:25 PM
Jdforrester-WMF added a parent task: T213806: Migrate wikimedia-portals-build to Docker container.
gerritbot added a comment.Mar 3 2020, 10:08 AM

Change 574070 merged by jenkins-bot:
[wikimedia/portals@master] build: Upgrade gulp to 4.x and make work

https://gerrit.wikimedia.org/r/574070

gerritbot added a comment.Mar 3 2020, 10:38 AM

Change 570767 merged by Jdrewniak:
[wikimedia/portals@master] build: Upgrade gulp-clean-css and gulp-load-plugins for security issues

https://gerrit.wikimedia.org/r/570767

gerritbot added a comment.Mar 3 2020, 2:52 PM

Change 548935 merged by jenkins-bot:
[wikimedia/portals@master] build: Upgrade everything to latest

https://gerrit.wikimedia.org/r/548935

Maintenance_bot removed a project: Patch-For-Review.Mar 3 2020, 3:10 PM
Jdforrester-WMF removed a subtask: T238747: Migrate www.wikipedia.org (and other www portals) to be its own service.Mar 3 2020, 6:05 PM
Jdforrester-WMF closed this task as Resolved.Mar 3 2020, 6:17 PM
Jdforrester-WMF claimed this task.

Well, bother. I was about to mark this as Resolved, but there's a new issue in decompress which we use via pngquant.

https://github.com/kevva/decompress/issues/76

No available fix yet. Let's just declare this Resolved and I'll track that one in other work.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits