Page MenuHomePhabricator

Create webpack security standard for MediaWiki development
Open, Needs TriagePublic


Vague placeholder task for creating a standard/documentation wrt the use of webpack in MediaWiki development.

Things in Wikimedia production (that we know about) currently using webpack in some way:

There are some other quasi-webpack-related dependencies floating around for production code/dependencies as well (e.g. 1, 2, etc). And then things that use tools like storybook (MinervaNeue et al) that build artifacts which might end up on places like

Event Timeline

Some initial thoughts:

  1. I think the initial standard is: don't. Given the outcomes of the VueJS task force and commitments of various teams at this point, Rollup is likely to be the low-risk, paved-road approach for any JS-related build steps, e.g. T272879 and also a part of SX's current risk mitigation plan at T260236#6825798.
  2. I'm not saying the following is a perfect approach, but requiring human-readable (kinda) webpack artifacts with any relevant gerrit cs with the steps I performed and outlined here should be mostly feasible and sufficient for now. A couple of questions remain as to 1) how long we plan to support this kind of stuff until we... mandate? migration to Rollup and 2) how similar a manual review process Rollup artifacts might require.