Page MenuHomePhabricator

Security Readiness Review For Vue version 3
Closed, DeclinedPublic

Description

The Foundation will be adopting Vue 3 (see T251974). Vue 3.0 has been officially released. It would be ideal if a security review of the library could be completed to enable early adoption before many components have been written.

Project Information

Description of the tool/project:
JavaScript framework.

Description of how the tool will be used at WMF:
This framework will be used by all frontend UI code. It's possible that backend usage may occur in the future. The initial usage will be Vue.js search (T244392).

Dependencies
No additional runtime dependencies but numerous compile-time dependencies including:

Has this project been reviewed before?
Vue 2 is in Core but not Vue 3.

Working test environment

Post-deployment
Web

Event Timeline

@Niedzielski I added the standard Security review template to the task, that will need to be updated.

sbassett moved this task from Incoming to Back Orders on the secscrum board.

Hey @Niedzielski -

A few points:

  1. As noted by @Peachey88 and @Aklapper, if you could work to fill out as much of our standard security review template (now pasted within the task description), that would be great, as we cannot begin a review until that is completed. Of particular interest would be target dates for deploying any Wikimedia-related code, what those projects are and at a high level, how they plan to use Vue3.
  2. If you could follow up here with a note on when Vue3 is officially released, that would be great. We can try to pay attention to the release date as well, but will not be following along nearly as closely as you or your team.
  3. To set expectations here, we'll plan to perform more of a due-diligence review based upon these guidelines. There isn't really any feasible way we'll be able to provide much beyond this given the size and complexity of Vue and its (now quite large) ecosystem.
sbassett changed the task status from Open to Stalled.Jul 13 2020, 4:40 PM

Thank you, @Peachey88! Done.

See (and bookmark?)

Done.

@sbassett:

1

Done.

2

Thanks, will do.

Niedzielski renamed this task from Security review of Vue 3 to Security Readiness Review For Vue version 3.Jul 14 2020, 3:22 PM

@Niedzielski - thanks for the update regarding the release candidate. Do we have any better sense of when the actual Vue3 release might occur? I'd prefer we wait to begin this review until an official release of Vue3 just in case there are major bug/security fixes from the release candidates.

(I see they just released rc.5 yesterday)

@sbassett, I've not heard anything new. Just "early August."

@Niedzielski - I see rc.9 was just released. Are you aware of any updates as to when an initial non-rc release of Vue3 might occur? I'm guessing we'll have to reset expectations on the timeline of August 30th in the task description as that cannot really happen at this point.

Are you aware of any updates as to when an initial non-rc release of Vue3 might occur?

@sbassett, no, I've not heard anything.

I'm guessing we'll have to reset expectations on the timeline of August 30th in the task description as that cannot really happen at this point.

Makes sense. The timeline should probably say "as soon as available."

sbassett changed the task status from Open to Stalled.Oct 28 2020, 4:23 PM
sbassett moved this task from In Progress to Waiting on the secscrum board.
sbassett moved this task from In Progress to Waiting on the user-sbassett board.
sbassett moved this task from Waiting to Back Orders on the secscrum board.
sbassett removed a project: user-sbassett.
This comment was removed by Jcross.

@Volker_E @Jdlrobson - as the ostensible current requesters of this review, is there anything on your or your teams' end blocking this review? The Security-Team would like to attempt to complete this review this quarter (Q4 2021), if possible. Also - this will not be a line-by-line code review of Vue3, but more of a vendor review focused upon higher-level security models and best practices.

@Volker_E @Jdlrobson Please respond to our previous message by April 20 or we will need to move this to our backlog. Thanks!

Hey there I am not the right person to answer this right now. @Catrope should probably take over this request along with Volker instead of me. As I understand it they are overseeing the move to Vue 3.

cc @egardner

Nothing from web team should be blocking this review .

Since it looks like Vue is never going to support IE11 in Vue 3, and instead backport some Vue 3 features to a new Vue 2.7 release (that's what's currently being proposed, and it seems likely to happen), we don't think that any WMF code will likely migrate to Vue 3 for at least a year or more. I do think we'll likely upgrade to 2.7 once it's out, and we may want to use the composition API plugin before then, to get some of those 2.7 features early (the proposal calls for this plugin to be made part of Vue itself in 2.7). So I think a security readiness review of Vue 3 can be postponed for now, and we'll probably ask for a review of Vue 2.7 when it comes out. We may also ask for a review of the composition API plugin for 2.6, I'll ask the other Vue migration team members about that.

sbassett removed a project: secscrum.

Thanks, @Catrope. I'm going to decline this for now. It can be re-opened and/or modified for Vue 2.7, whenever that makes the most sense. I think the Security-Team definitely would like to have a look at Vue again, since the previous review (T168264) was for Vue 2.3.3 and is pretty dated at this point. Though any future review would likely focus more upon Vue's current security model and best practices as opposed to a line-by-line, manual code audit.

Thanks @sbassett! I asked the other engineers on the Vue team, and it sounds like we do plan on using the composition API plugin soon (which is a plugin for Vue 2.6 that essentially adds a subset of the anticipated 2.7 features). I've opened T281527: Security Readiness Review For Vue composition API plugin to request a review of that plugin. I'll link this task there too for context. We'll plan to reopen this task when Vue 2.7 comes out.