See T281527: Security Readiness Review For Vue composition API plugin for more context on how this task came about.

The deployment target date is nuanced: we plan to introduce the plugin in WVUI in the coming weeks, but that doesn't immediately result in production deployment. That would only occur once we cut a new release of WVUI and put it in MediaWiki core. We may well be ready to do that some time in May or early June, but if the security review isn't complete by then, we could hold off (or put it behind a feature flag) until we have real code in an extension using it that is ready to deploy. And we don't think we would get to _that_ stage until July (or perhaps June if things go well/fast).

@Catrope What version of the composition API do you plan to use? From the release page, it seems that v1.0.0 only has release candidates and betas. Is there a particular commit you are planning to pin to?

In T281527#7108133, @Mstyles wrote:

@Catrope What version of the composition API do you plan to use? From the release page, it seems that v1.0.0 only has release candidates and betas. Is there a particular commit you are planning to pin to?

We are currently using 1.0.0-rc.8, which was the latest version in NPM at the time. But I now see that rc.10 was released last week, so we'll want to upgrade to that.

So sorry for the late response, @Mstyles! I missed your comment and only saw it today because I was working on this task for other reasons. I've added it to our team's workboard so that we can keep a closer eye on it in the future.

In T281527#7047249, @Catrope wrote:

The deployment target date is nuanced: we plan to introduce the plugin in WVUI in the coming weeks, but that doesn't immediately result in production deployment. That would only occur once we cut a new release of WVUI and put it in MediaWiki core. We may well be ready to do that some time in May or early June, but if the security review isn't complete by then, we could hold off (or put it behind a feature flag) until we have real code in an extension using it that is ready to deploy. And we don't think we would get to _that_ stage until July (or perhaps June if things go well/fast).

I released wvui 0.2.0 today, which uses the composition API plugin. However, it also includes a smaller bundle with a subset of the library that does not use the plugin. In https://gerrit.wikimedia.org/r/c/mediawiki/core/+/697700 I put that bundle in MediaWiki core instead of the full library. Once this security review is completed and hopefully the use of the plugin is approved, I'll replace the limited bundle with the full one. (Making the smaller bundle wasn't something we did just for this, we needed it for performance reasons anyway. But it came in handy here.)

Hello security people (@sbassett @Mstyles), just a heads up that I'll be on vacation from right after all-hands until pretty much the end of the quarter (June 18 - 29, returning on June 30). If you have questions about this task during that time, please ping @egardner.

Cool, thanks for the update, @Catrope. @Mstyles and I discussed this review today and I believe she plans on posting the report deliverable within the next day or so.

(ref: https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Third_Party_Code_Review_Checklist)

Security Review Summary - Vue Composition API - 2021-06-10

Overall, the current vendor code under consideration...
has an overall risk rating of: low.
Please ensure that you are following all security best practices for Vue
as listed in their documentation

General Security Information

Vulnerable Packages
low
npm audit results: 89 moderate risk packages, 15 high risk packages
They all come from three dev dependencies: jest, conventional-github-releaser, and conventional-changelog-cli
Since they are dev dependencies, this is pretty low risk.

Outdated Packages
none
As reported via npm outdated:
NPM outdated does report the tslib library as missing. It is not missing and is listed in package.json,
but as a dependency and not a dev dependency.

General Security Issues

1. There are only release candidates for version 1, which means code is constantly changing and hard to ensure project stability. It would be ideal to make sure once the 1.0 release is available, another follow up security review should be done to ensure there aren't any security issues.

Thank you!

There are only release candidates for version 1, which means code is constantly changing and hard to ensure project stability. It would be ideal to make sure once the 1.0 release is available, another follow up security review should be done to ensure there aren't any security issues.

Understood, that makes sense. Once 1.0 comes out, we will seek to upgrade to it and request another security review.

I should also add that the Vue team has announced that they are planning to work on a Vue 2.7 release that would include backported features from Vue 3, hopefully including the composition API. As part of this effort, the composition API plugin may be discontinued as a separate plugin and merged into Vue itself. Whatever Vue 2.7 contains, we will likely want to upgrade to it when it comes out (we're currently on 2.6), and we'd need a security review for that too. Hopefully it'll contain the composition API functionality so that we can just do the Vue 2.6->2.7 upgrade + security review and skip version 1.0 of the plugin entirely, but it depends on how the timing works out.

Change 699951 had a related patch set uploaded (by Catrope; author: Catrope):

[mediawiki/core@master] wvui: Change the wvui module back to the full WVUI bundle

https://gerrit.wikimedia.org/r/699951

In T281527#7158003, @Catrope wrote:

There are only release candidates for version 1, which means code is constantly changing and hard to ensure project stability. It would be ideal to make sure once the 1.0 release is available, another follow up security review should be done to ensure there aren't any security issues.

We can probably just re-open this task with an updated description and a new comment pinging the Security-Team.

I should also add that the Vue team has announced that they are planning to work on a Vue 2.7 release that would include backported features from Vue 3, hopefully including the composition API. As part of this effort, the composition API plugin may be discontinued as a separate plugin and merged into Vue itself. Whatever Vue 2.7 contains, we will likely want to upgrade to it when it comes out (we're currently on 2.6), and we'd need a security review for that too. Hopefully it'll contain the composition API functionality so that we can just do the Vue 2.6->2.7 upgrade + security review and skip version 1.0 of the plugin entirely, but it depends on how the timing works out.

It would be really good if the timing works out here, so as to avoid both a re-review of the proper 1.0 release of the composition API along with a new review of the future 2.7 release. I guess we'll have to cross our fingers for now :)

In T281527#7158412, @sbassett wrote:

In T281527#7158003, @Catrope wrote:

There are only release candidates for version 1, which means code is constantly changing and hard to ensure project stability. It would be ideal to make sure once the 1.0 release is available, another follow up security review should be done to ensure there aren't any security issues.

We can probably just re-open this task with an updated description and a new comment pinging the Security-Team.

Great, we will do that then. I'll close this task once the attached patch is merged.

It would be really good if the timing works out here, so as to avoid both a re-review of the proper 1.0 release of the composition API along with a new review of the future 2.7 release. I guess we'll have to cross our fingers for now :)

Yes, I'm really hoping that happens.

Change 699951 merged by jenkins-bot:

[mediawiki/core@master] wvui: Change the 'wvui' module back to the full WVUI bundle

https://gerrit.wikimedia.org/r/699951

Thanks @sbassett and @Mstyles for the prioritization here!