Page MenuHomePhabricator

Update the wikimedia-portals repo's CI/linting code for various security issues
Closed, ResolvedPublic

Description

None of them AFAICS are "actual" issues (we don't run that code anywhere near production), but the warnings go all the way up to critical (eslint-utils and handlebars) along with high (set-value, mixin-deep, lodash, lodash.merge, handlebars again, lodash again, js-yaml), moderate (4) and low (3).

Unfortunately I can't build master locally, so I can't fix it for you.

Related Objects

StatusSubtypeAssignedTask
StalledNone
ResolvedNone
Resolvedakosiaris
ResolvedJdforrester-WMF
ResolvedJdforrester-WMF
ResolvedReedy
ResolvedReedy
ResolvedBawolff
ResolvedAnomie
ResolvedBawolff
ResolvedBawolff
ResolvedLegoktm
ResolvedLucas_Werkmeister_WMDE
ResolvedBawolff
Resolvedsbassett
Resolvedsbassett
ResolvedJdforrester-WMF
Resolvedsbassett
Resolvedsbassett
ResolvedReedy
ResolvedReedy
ResolvedJdforrester-WMF
ResolvedReedy
ResolvedReedy
ResolvedReedy
ResolvedJdforrester-WMF
ResolvedJdforrester-WMF
ResolvedReedy
ResolvedReedy
ResolvedReedy
ResolvedJdforrester-WMF
Resolvedhashar
Resolvedhashar
ResolvedJdforrester-WMF
Resolvedhashar
DeclinedMoritzMuehlenhoff
Invalidthcipriani
Resolved mmodell
Resolvedhashar
ResolvedJoe
ResolvedJMeybohm
ResolvedJMeybohm
DuplicateDzahn
DeclinedDzahn
ResolvedJdforrester-WMF
ResolvedMoritzMuehlenhoff
ResolvedJdforrester-WMF
Resolvedthcipriani
Resolvedhashar
ResolvedJdforrester-WMF
ResolvedJdforrester-WMF
OpenNone
Resolvedjeena
ResolvedJdforrester-WMF

Event Timeline

Change 548933 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] build: Upgrade various linters for npm audit concerns

https://gerrit.wikimedia.org/r/548933

Change 548935 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] [WIP] build: Upgrade all the gulp modules to latest

https://gerrit.wikimedia.org/r/548935

Change 548933 merged by jenkins-bot:
[wikimedia/portals@master] build: Upgrade various linters for npm audit concerns

https://gerrit.wikimedia.org/r/548933

Change 570767 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] build: Upgrade all npm audit issues we can

https://gerrit.wikimedia.org/r/570767

Change 574068 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] build: Upgrade pngquant-bin from ^3.1.1 to ^5.0.2

https://gerrit.wikimedia.org/r/574068

Change 574069 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] build: Upgrade postcss-import from ^8.0.2 to ^12.0.1

https://gerrit.wikimedia.org/r/574069

Change 574070 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[wikimedia/portals@master] build: Upgrade gulp to 4.x and make work

https://gerrit.wikimedia.org/r/574070

Change 574068 merged by jenkins-bot:
[wikimedia/portals@master] build: Upgrade pngquant-bin from ^3.1.1 to ^5.0.2

https://gerrit.wikimedia.org/r/574068

Change 574069 merged by jenkins-bot:
[wikimedia/portals@master] build: Upgrade postcss-import from ^8.0.2 to ^12.0.1

https://gerrit.wikimedia.org/r/574069

Change 574070 merged by jenkins-bot:
[wikimedia/portals@master] build: Upgrade gulp to 4.x and make work

https://gerrit.wikimedia.org/r/574070

Change 570767 merged by Jdrewniak:
[wikimedia/portals@master] build: Upgrade gulp-clean-css and gulp-load-plugins for security issues

https://gerrit.wikimedia.org/r/570767

Change 548935 merged by jenkins-bot:
[wikimedia/portals@master] build: Upgrade everything to latest

https://gerrit.wikimedia.org/r/548935

Jdforrester-WMF claimed this task.

Well, bother. I was about to mark this as Resolved, but there's a new issue in decompress which we use via pngquant.

https://github.com/kevva/decompress/issues/76

No available fix yet. Let's just declare this Resolved and I'll track that one in other work.