Page MenuHomePhabricator
Create Task
Maniphest T262648

Fix known npm dependency vulnerabilities on push-notifications
Closed, ResolvedPublic
Actions

Description

Finding from security review:

We need to fix the folllowing vulnerabilities on the npm dependencies:

Vulnerable Packages - Production

VulnerabilityPackageNotesServiceRisk
Prototype Pollutionminimist <0.2.1, >=1.0.0 <1.2.3N/Anpm low

Update: There is only one remainder dependency vulnerability which is an upstream issue tracked down to service-runner, the table was updated to reflect that.

PR: https://github.com/wikimedia/service-runner/pull/231

Details

ProjectBranchLines +/-Subject
mediawiki/services/push-notificationsmaster+342 -55Fix npm dependencies automatically with audit
Customize query in gerrit

Related Objects
Search...

Event Timeline

Jgiannelos created this task.Sep 11 2020, 9:26 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2020, 9:26 AM
Jgiannelos added a parent task: T246712: Security Readiness Review for push notifications infrastructure.Sep 11 2020, 9:27 AM

After a quick npm audit --fix run it looks like most of the vulnerabilities can be fixed automatically and tests run fine after the fixes.
The only one that's tricky is related to:
https://github.com/wikimedia/service-runner/pull/231

gerritbot added a comment.Sep 15 2020, 8:50 AM

Change 627427 had a related patch set uploaded (by MSantos; owner: MSantos):
[mediawiki/services/push-notifications@master] Fix npm dependencies automatically with audit

https://gerrit.wikimedia.org/r/627427

gerritbot added a project: Patch-For-Review.Sep 15 2020, 8:50 AM
Jgiannelos moved this task from Needs triage to Kanban on the Product-Infrastructure-Team-Backlog board.Sep 15 2020, 9:05 AM
Jgiannelos edited projects, added Product-Infrastructure-Team-Backlog (Kanban); removed Product-Infrastructure-Team-Backlog.
MSantos claimed this task.Sep 15 2020, 9:13 AM
Jgiannelos moved this task from To Do to Doing on the Product-Infrastructure-Team-Backlog (Kanban) board.Sep 15 2020, 9:34 AM
Jgiannelos moved this task from Doing to Code Review on the Product-Infrastructure-Team-Backlog (Kanban) board.
Jgiannelos moved this task from Code Review to To Deploy on the Product-Infrastructure-Team-Backlog (Kanban) board.Sep 15 2020, 1:52 PM
gerritbot added a comment.Sep 15 2020, 2:01 PM

Change 627427 merged by jenkins-bot:
[mediawiki/services/push-notifications@master] Fix npm dependencies automatically with audit

https://gerrit.wikimedia.org/r/627427

Mholloway triaged this task as High priority.Sep 15 2020, 3:41 PM
Mholloway added a subscriber: Mholloway.Sep 15 2020, 4:45 PM

@Jgiannelos or @MSantos Would you mind updating the table in the task description with which deps have been updated and which are blocked on service-runner updates?

MSantos changed the task status from Open to Stalled.Sep 15 2020, 5:24 PM
MSantos updated the task description. (Show Details)
In T262648#6463362, @Mholloway wrote:

@Jgiannelos or @MSantos Would you mind updating the table in the task description with which deps have been updated and which are blocked on service-runner updates?

Done

Mholloway added a project: service-runner.Sep 17 2020, 10:22 PM

Tagging with service-runner since that's what's pulling in the vulnerable package.

Mholloway updated the task description. (Show Details)Sep 17 2020, 10:22 PM
Mholloway lowered the priority of this task from High to Low.Sep 18 2020, 12:04 AM

Dropping to low since it's probably actually a WONTFIX for the near future.

Jgiannelos moved this task from To Deploy to Sign off on the Product-Infrastructure-Team-Backlog (Kanban) board.Sep 21 2020, 3:57 PM
MSantos closed this task as Resolved.Sep 29 2020, 3:54 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL