Page MenuHomePhabricator
Create Task
Maniphest T275047

Create webpack security standard for MediaWiki development
Open, Needs TriagePublic
Actions

Description

Vague placeholder task for creating a standard/documentation wrt the use of webpack in MediaWiki development.

Things in Wikimedia production (that we know about) currently using webpack in some way:

There are some other quasi-webpack-related dependencies floating around for production code/dependencies as well (e.g. 1, 2, etc). And then things that use tools like storybook (MinervaNeue et al) that build artifacts which might end up on places like doc.wikimedia.org.

Related Objects

Event Timeline

Reedy created this task.Feb 17 2021, 4:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 17 2021, 4:55 PM
sbassett subscribed.Feb 17 2021, 5:17 PM
sbassett added a comment.EditedFeb 17 2021, 5:26 PM

Some initial thoughts:

  1. I think the initial standard is: don't. Given the outcomes of the VueJS task force and commitments of various teams at this point, Rollup is likely to be the low-risk, paved-road approach for any JS-related build steps, e.g. T272879 and also a part of SX's current risk mitigation plan at T260236#6825798.
  2. I'm not saying the following is a perfect approach, but requiring human-readable (kinda) webpack artifacts with any relevant gerrit cs with the steps I performed and outlined here should be mostly feasible and sufficient for now. A couple of questions remain as to 1) how long we plan to support this kind of stuff until we... mandate? migration to Rollup and 2) how similar a manual review process Rollup artifacts might require.
Reedy updated the task description. (Show Details)Feb 17 2021, 5:54 PM
sbassett moved this task from Incoming to Back Orders on the Security-Team board.Feb 22 2021, 4:27 PM
sbassett added projects: SecTeam-Processed, JavaScript.
RhinosF1 subscribed.Feb 22 2021, 4:28 PM
sbassett updated the task description. (Show Details)Feb 22 2021, 5:54 PM
Restricted Application added a subscriber: Masumrezarock100. · View Herald TranscriptFeb 22 2021, 5:54 PM
Reedy mentioned this in T269007: Security Readiness Review For Citoid VE Mobile ISBN Barcode Scanner.Mar 9 2021, 6:05 PM
Reedy added a project: Front-end-Standards-Group.Nov 3 2021, 7:07 PM
Krinkle subscribed.Apr 13 2022, 9:06 PM
TheresNoTime removed a subscriber: RhinosF1.Dec 15 2022, 11:36 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits