Page MenuHomePhabricator

Review unminified Webpack-generated code for Section Translation
Closed, ResolvedPublic

Description

In order to follow security best practices identified in T260236, we'll analyze the code produced for Section Translation during the build step of Webpack.

Event Timeline

Pginer-WMF renamed this task from Review unminified Webpack-generated code to Review unminified Webpack-generated code for Section Translation.Feb 15 2021, 10:33 AM
Pginer-WMF triaged this task as Medium priority.
Pginer-WMF moved this task from Backlog to General infrastructure on the SectionTranslation board.
Pginer-WMF added subscribers: sbassett, Reedy.

I did an analysis using webpack bundle analyser.
Here is the html report

js/cx.lib.js - the chunk which contains our dependency libraries has core-js being a significant part. This is due to browser pollyfills required to support the range of browsers. Tightening the browserslist configuration strictly reduces the libraries, but will not remove them completely. i18n library is another part - mostly contributed by language data in it, but worth looking whether it can be optimized further.

@santhosh - thanks for performing this analysis. I think adding @Reedy and myself to any related gerrit change sets where these artifacts might be committed would also be helpful, so that we can perform a security-focused analysis similar to the one performed for this WVUI change set. Thanks.

Change 670024 had a related patch set uploaded (by Santhosh; owner: Santhosh):
[mediawiki/extensions/ContentTranslation@master] CX3 Build: Remove IE11 from supported browsers

https://gerrit.wikimedia.org/r/670024

Explicitly exlcuded IE11 from supported browsers and there is a gain in bundle size now since some polyfills are removed. . New report:


Total gzipped bundle size changed from 129.18 to 109.74 KB

Change 670024 merged by jenkins-bot:
[mediawiki/extensions/ContentTranslation@master] CX3 Build: Remove IE11 from supported browsers

https://gerrit.wikimedia.org/r/670024

In today's planning meeting Santhosh confirmed this was done, and as follow-ups we'll inform the security team of any relevant updates.