Page MenuHomePhabricator

Fix known npm dependency vulnerabilities on push-notifications
Closed, ResolvedPublic

Description

Finding from security review:

We need to fix the folllowing vulnerabilities on the npm dependencies:

Vulnerable Packages - Production

VulnerabilityPackageNotesServiceRisk
Prototype Pollutionminimist <0.2.1, >=1.0.0 <1.2.3N/Anpm low

Update: There is only one remainder dependency vulnerability which is an upstream issue tracked down to service-runner, the table was updated to reflect that.

PR: https://github.com/wikimedia/service-runner/pull/231

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2020, 9:26 AM

After a quick npm audit --fix run it looks like most of the vulnerabilities can be fixed automatically and tests run fine after the fixes.
The only one that's tricky is related to:
https://github.com/wikimedia/service-runner/pull/231

Change 627427 had a related patch set uploaded (by MSantos; owner: MSantos):
[mediawiki/services/push-notifications@master] Fix npm dependencies automatically with audit

https://gerrit.wikimedia.org/r/627427

MSantos claimed this task.Sep 15 2020, 9:13 AM

Change 627427 merged by jenkins-bot:
[mediawiki/services/push-notifications@master] Fix npm dependencies automatically with audit

https://gerrit.wikimedia.org/r/627427

Mholloway triaged this task as High priority.Sep 15 2020, 3:41 PM

@Jgiannelos or @MSantos Would you mind updating the table in the task description with which deps have been updated and which are blocked on service-runner updates?

MSantos changed the task status from Open to Stalled.Sep 15 2020, 5:24 PM
MSantos updated the task description. (Show Details)

@Jgiannelos or @MSantos Would you mind updating the table in the task description with which deps have been updated and which are blocked on service-runner updates?

Done

Tagging with service-runner since that's what's pulling in the vulnerable package.

Mholloway updated the task description. (Show Details)Sep 17 2020, 10:22 PM
Mholloway lowered the priority of this task from High to Low.Sep 18 2020, 12:04 AM

Dropping to low since it's probably actually a WONTFIX for the near future.

MSantos closed this task as Resolved.Sep 29 2020, 3:54 PM