"build: Updating y18n to 3.2.2" commits didn't all work properly
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	DannyS712
	Mar 30 2021, 5:41 PM

Description

Some worked fine, updating the version, resolved, and integrity in package-lock.json[1]

good commit

 "y18n": {
-  "version": "3.2.1",
+  "version": "3.2.2",
-  "resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz",
+  "resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.2.tgz",
-  "integrity": "sha1-bRX7qITAhnnA136I53WegR4H+kE=",
+  "integrity": "sha512-uGZHXkHnhF0XeeAPgnKfPv1bgKAYyVvmNL1xlKsPYZPaIHxGti2hHqvOCQv71XMsLxu1QjergkqogUnms5D3YQ==",
   "dev": true
 }

Some, however, just removed the integrity, set the resolved to an empty string, and didn't change the version

bad commit

 "y18n": {
   "version": "3.2.1",
-  "resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz",
+  "resolved": "",
-  "integrity": "sha1-bRX7qITAhnnA136I53WegR4H+kE=",
   "dev": true
 }

At first I thought it was tied to whether there were other changes in the commit, since the first few bad commits I found also had "Dropped .php5 and .inc files from .phpcs.xml" as an additional change, but then I found some bad commits without that additional change:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PronunciationRecording/+/675654
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikisource/+/675784
https://gerrit.wikimedia.org/r/c/mediawiki/skins/CologneBlue/+/675789
https://gerrit.wikimedia.org/r/c/mediawiki/skins/apex/+/675798

[1] Example good commits:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ShoutWikiAds/+/675712
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SmiteSpam/+/675714

Details

	Subject	Repo	Branch	Lines +/-
	Fix the stupid npm "resolved" issue	labs/libraryupgrader	master	+46 -0

Customize query in gerrit

Related Objects

Mentioned In: T242058: Add some form of static analysis for package-lock.json
Mentioned Here: P16074 (An Untitled Masterwork)

Event Timeline

DannyS712 created this task.Mar 30 2021, 5:41 PM

Restricted Application added a project: User-DannyS712. · View Herald TranscriptMar 30 2021, 5:41 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

DannyS712 moved this task from Unsorted to Reports on the User-DannyS712 board.Mar 30 2021, 5:41 PM

RhinosF1 subscribed.Mar 30 2021, 5:41 PM

LibUp just runs npm audit fix, sometimes the endpoint it hits is buggy.

What does having an empty URL even mean in practice? Those repos are no longer listed on https://libraryupgrader2.wmcloud.org/vulns/npm ... are they fixed?

Seems to have been fine? Please reopen if something is actually wrong.

In T278857#7073329, @Legoktm wrote:

Seems to have been fine? Please reopen if something is actually wrong.

The bad commits linked in the task description are wrong - they removed the resolved url, and didn't actually update the version of y18n

What is npm installing on those repos? y18n doesn't show up as vulnerable on https://libraryupgrader2.wmcloud.org/vulns/npm for those repos...?

In T278857#7073343, @Legoktm wrote:

What is npm installing on those repos? y18n doesn't show up as vulnerable on https://libraryupgrader2.wmcloud.org/vulns/npm for those repos...?

No idea, sorry

In T278857#7073343, @Legoktm wrote:

What is npm installing on those repos?

The answer might just be the wrong versions....

Even after https://gerrit.wikimedia.org/r/c/wikimedia/toolhub/+/692689/

km@b35df4ae983f:/toolhub$ npm ls hosted-git-info
toolhub@0.1.0 /toolhub
├─┬ @vue/cli@4.5.13
│ └─┬ @vue/cli-shared-utils@4.5.13
│   └─┬ read-pkg@5.2.0
│     └─┬ normalize-package-data@2.5.0
│       └── hosted-git-info@2.8.8 
├─┬ stylelint@13.13.1
│ └─┬ meow@9.0.0
│   └─┬ normalize-package-data@3.0.2
│     └── hosted-git-info@4.0.2 
└─┬ stylelint-config-wikimedia@0.10.3
  └─┬ stylelint@13.8.0
    └─┬ meow@8.1.2
      └─┬ normalize-package-data@3.0.0
        └── hosted-git-info@3.0.7

P16074 (An Untitled Masterwork)

1	Processing /home/km/gerrit/mediawiki/core/extensions/AbuseFilter/package-lock.json
2	[src/main.rs:85] &deps = [
3	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
4	]
5	Processing /home/km/gerrit/mediawiki/core/extensions/AdvancedSearch/package-lock.json
6	[src/main.rs:85] &deps = [
7	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
8	]
9	Processing /home/km/gerrit/mediawiki/core/extensions/CentralNotice/package-lock.json
10	[src/main.rs:85] &deps = [
11	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
12	]
13	Processing /home/km/gerrit/mediawiki/core/extensions/CodeMirror/package-lock.json
14	[src/main.rs:85] &deps = [
15	"hosted-git-info@3.0.7: resolved is not a valid URL: (relative URL without a base)",
16	]
17	Processing /home/km/gerrit/mediawiki/core/extensions/Echo/package-lock.json
18	[src/main.rs:85] &deps = [
19	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
20	]
21	Processing /home/km/gerrit/mediawiki/core/extensions/ElectronPdfService/package-lock.json
22	[src/main.rs:85] &deps = [
23	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
24	]
25	Processing /home/km/gerrit/mediawiki/core/extensions/EntitySchema/package-lock.json
26	[src/main.rs:85] &deps = [
27	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
28	]
29	Processing /home/km/gerrit/mediawiki/core/extensions/FileImporter/package-lock.json
30	[src/main.rs:85] &deps = [
31	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
32	]
33	Processing /home/km/gerrit/mediawiki/core/extensions/GrowthExperiments/package-lock.json
34	[src/main.rs:85] &deps = [
35	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
36	]
37	Processing /home/km/gerrit/mediawiki/core/extensions/Math/package-lock.json
38	[src/main.rs:85] &deps = [
39	"ua-parser-js@0.7.21: resolved is not a valid URL: (relative URL without a base)",
40	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
41	]
42	Processing /home/km/gerrit/mediawiki/core/extensions/NearbyPages/package-lock.json
43	[src/main.rs:85] &deps = [
44	"hosted-git-info@3.0.7: resolved is not a valid URL: (relative URL without a base)",
45	]
46	Processing /home/km/gerrit/mediawiki/core/extensions/Newsletter/package-lock.json
47	[src/main.rs:85] &deps = [
48	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
49	]
50	Processing /home/km/gerrit/mediawiki/core/extensions/ProofreadPage/package-lock.json
51	[src/main.rs:85] &deps = [
52	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
53	]
54	Processing /home/km/gerrit/mediawiki/core/extensions/RelatedArticles/package-lock.json
55	[src/main.rs:85] &deps = [
56	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
57	]
58	Processing /home/km/gerrit/mediawiki/core/extensions/RevisionSlider/package-lock.json
59	[src/main.rs:85] &deps = [
60	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
61	]
62	Processing /home/km/gerrit/mediawiki/core/extensions/TemplateWizard/package-lock.json
63	[src/main.rs:85] &deps = [
64	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
65	]
66	Processing /home/km/gerrit/mediawiki/core/extensions/TwoColConflict/package-lock.json
67	[src/main.rs:85] &deps = [
68	"hosted-git-info@3.0.7: resolved is not a valid URL: (relative URL without a base)",
69	]
70	Processing /home/km/gerrit/mediawiki/core/extensions/VisualEditor/package-lock.json
71	[src/main.rs:85] &deps = [
72	"hosted-git-info@3.0.7: resolved is not a valid URL: (relative URL without a base)",
73	]
74	Processing /home/km/gerrit/mediawiki/core/extensions/WikibaseLexeme/package-lock.json
75	[src/main.rs:85] &deps = [
76	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
77	]
78	Processing /home/km/gerrit/mediawiki/core/skins/WikimediaApiPortal/package-lock.json
79	[src/main.rs:85] &deps = [
80	"hosted-git-info@3.0.7: resolved is not a valid URL: (relative URL without a base)",
81	]
82	Processing /home/km/gerrit/wm-branches-core/package-lock.json
83	[src/main.rs:85] &deps = [
84	"hosted-git-info@2.8.8: resolved is not a valid URL: (relative URL without a base)",
85	]

So where did the y18n ones go?

Legoktm mentioned this in T242058: Add some form of static analysis for package-lock.json.May 19 2021, 5:17 AM

In T278857#7097164, @Legoktm wrote:

So where did the y18n ones go?

All the examples seem to be from REL1_31, which I don't have locally.

Change 693239 had a related patch set uploaded (by Legoktm; author: Legoktm):

[labs/libraryupgrader@master] Fix the stupid npm "resolved" issue

https://gerrit.wikimedia.org/r/693239

gerritbot added a project: Patch-For-Review.May 21 2021, 1:49 AM

Change 693239 merged by jenkins-bot:

[labs/libraryupgrader@master] Fix the stupid npm "resolved" issue

https://gerrit.wikimedia.org/r/693239

Example fix commit: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AdvancedSearch/+/693244

Running through all the broken "master" branches identified by package-lock-lint now.

Maintenance_bot removed a project: Patch-For-Review.May 21 2021, 4:10 AM

Most repos should be fixed now. Anything *not* fixed should be showing up as an error in LibUp.

With package-lock-lint and LibUp's auto fixing, this should be fixed now and no new cases will be introduced going forward.

"build: Updating y18n to 3.2.2" commits didn't all work properlyClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

"build: Updating y18n to 3.2.2" commits didn't all work properly
Closed, ResolvedPublic
Actions