Page MenuHomePhabricator
Create Task
Maniphest T274626

wikidata-query-gui build tooling uses outdated packages (via grunt)
Open, Needs TriagePublic5 Estimated Story Points
Actions

Description

The wikidata-query-gui still uses grunt to run its tests, build itself, and deploy itself.
Some packages in this pipeline are completely unmaintained like grunt-usemin.

grunt-usemin has a old version of lodash in its dependency chain which causes security alerts in npm audit due to Prototype Pollution.
While this is not a security issue for us, it is noise in the npm audit reports and the weekly dependabot security emails.

Acceptance Criteria:

  • packages used as part of the build tooling are up to date per npm audit

Related Objects

Event Timeline

Michael created this task.Feb 12 2021, 10:43 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 12 2021, 10:43 AM
Celenduin mentioned this in rWDQG64b9ed57e129: chore: upgrade dependencies to make npm audit happy.Feb 12 2021, 11:02 AM
Addshore added a project: Wikidata-Campsite.Feb 23 2021, 12:33 PM
Addshore moved this task from Incoming to Prioritized Wikidata Tech Backlog (prioritised from top to bottom) on the Wikidata-Campsite board.
Addshore edited projects, added [DEPRECATED] wdwb-tech (legacy-backlog); removed [DEPRECATED] wdwb-tech.
Addshore moved this task from Incoming to 3. Fill ins (-I -E) on the [DEPRECATED] wdwb-tech (legacy-backlog) board.
Addshore updated the task description. (Show Details)Feb 23 2021, 1:08 PM
Addshore subscribed.

In ticket polishing it was said that we might want to stop using grunt in all of out codebases.

Addshore updated the task description. (Show Details)Feb 23 2021, 1:09 PM
Addshore renamed this task from Replace wikidata-query-gui build tooling to wikidata-query-gui build tooling uses outdated packages (via grunt).Feb 25 2021, 10:23 AM
Addshore updated the task description. (Show Details)
darthmon_wmde set the point value for this task to 5.Feb 25 2021, 10:25 AM
darthmon_wmde moved this task from Prioritized Wikidata Tech Backlog (prioritised from top to bottom) to Wikidata-Campsite-Iteration-∞ (On Hold) on the Wikidata-Campsite board.
darthmon_wmde edited projects, added Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)); removed Wikidata-Campsite.
Addshore moved this task from 3. Fill ins (-I -E) to Active on the [DEPRECATED] wdwb-tech (legacy-backlog) board.Feb 25 2021, 10:28 AM
Addshore moved this task from incoming to in progress on the Wikidata board.
Silvan_WMDE claimed this task.Mar 1 2021, 9:06 AM
Silvan_WMDE moved this task from To Do (prioritised from top to bottom) to Doing on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Tonina_Zhelyazkova_WMDE subscribed.EditedMar 1 2021, 9:40 AM

Task Inspection notes:

  1. Try to find a package similar to grunt-useman and replace it due to the security issues.
  2. If such package does not exist, stop using grunt for the build step and do it with npm/webpack etc.
Silvan_WMDE added a comment.EditedMar 10 2021, 12:55 PM

Findings so far:

  • The build task consist of several steps: less, copy, several usemin subtasks and merge-i18n.
  • The grunt-usemin package is some kind of umbrella task that covers several build steps, including concat, cssmin, uglify, filerev and htmlmin.
  • It is not a good option to replace only grunt-usemin with some other grunt task(s), leaving grunt itself and its remaining tasks untouched, because apparently usemin was a widely used de-facto standard approach, back in the days. In order to replace it, we would have to go and find a different not-so-widely used grunt task which will probably also be outdated soon, as people move away from grunt.
  • A possible alternative to using grunt is running the entire build process by using npm scripts directly:
    • grunt-contrib-clean, grunt-contrib-less and grunt-contrib-copy can easily be replaced by npm modules del-cli, less and cpy-cli
    • For grunt-usemin there is also a non-grunt CLI version called usemin-cli that is not outdated, but unfortunately it does not cover the filerev step.
    • I was not able to find a good replacement for the grunt-filerev task, which is a grunt-usemin step and also deprecated already. The best candidate is node-file-rev, which is a CLI tool, but it only covers revisioning and renaming files, not replacing their occurrences (as grunt-filerev does in combination with usemin).
    • The build step merge-i18n is also a grunt task, which was built by wikimedia. It is hosted on gerrit and mirrored to GitHub, from where it is loaded by wikidata-query-gui's package.json. It can potentially be left untouched and re-used in combination with an npm module called grunty, which allows running grunt tasks directly via npm scripts, without setting up grunt and configuring a big Gruntfile.js.
  • If it turns out that the entire build process can not be covered by npmscripts directly, then webpack is probably a good alternative. It can possibly be combined with grunty to run the merge-i18n step. Apparently even a usemin plugin for webpack exists, not sure if that is helpful.
Silvan_WMDE moved this task from Doing to To Do (prioritised from top to bottom) on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.Mar 10 2021, 12:58 PM

Moving this task back to ToDo for task inspection and potential breakdown.

Silvan_WMDE added a comment.Mar 11 2021, 12:23 PM

Three options left:

  1. do it via npm scripts
  2. convert the build process to webpack
  3. don't do anything, because the lodash security vulnerability only affects our own build process and does not end up on production

Camp currently favours option 3. @Addshore? @Michael?

Addshore added a comment.Mar 16 2021, 10:46 AM

Option 3 sounds fine to me.
I'm sure one day this will be converted to webpacke / whatever build system we are using then, but perhaps today is not that day

Addshore moved this task from legacy-backlog to Active on the [DEPRECATED] wdwb-tech board.Mar 18 2021, 9:29 AM
Addshore edited projects, added [DEPRECATED] wdwb-tech; removed [DEPRECATED] wdwb-tech (legacy-backlog).
darthmon_wmde subscribed.Mar 19 2021, 10:33 AM
Tonina_Zhelyazkova_WMDE added a comment.Mar 29 2021, 9:06 AM

Removing this from the camp board since option 3 was agreed on 2 weeks ago and nobody has made an objection since then

Tonina_Zhelyazkova_WMDE removed a project: Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)).Mar 29 2021, 9:06 AM
Volker_E subscribed.Apr 11 2021, 1:18 PM
Lucas_Werkmeister_WMDE mentioned this in T288466: [QS-GUI] Port Wikidata Query UI to a modern build system.Aug 9 2021, 4:01 PM
Addshore unsubscribed.Jun 27 2023, 11:47 AM
Silvan_WMDE removed Silvan_WMDE as the assignee of this task.Sep 19 2023, 7:27 AM
Silvan_WMDE subscribed.

forgot to unassign myself when moving this task back to ToDo :-)

Silvan_WMDE unsubscribed.Sep 19 2023, 7:27 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits