Page MenuHomePhabricator
Create Task
Maniphest T284338

Security Readiness Review For Rollup.js
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:
Module bundler for JavaScript that runs in Node.js. From the project page:

Rollup is a module bundler for JavaScript which compiles small pieces of code into something larger and more complex, such as a library or application. It uses the new standardized format for code modules included in the ES6 revision of JavaScript, instead of previous idiosyncratic solutions such as CommonJS and AMD. ES modules let you freely and seamlessly combine the most useful individual functions from your favorite libraries. This will eventually be possible natively everywhere, but Rollup lets you do it today.

Description of how the tool will be used at WMF:

The Design Systems Team is looking into the current generation of JS module bundlers in relation to two projects: WVUI (which is currently bundled using Webpack, a tool we're looking to move away from), and a possible general-purpose front-end build step for MediaWiki extensions.

Relevant Phab tasks:

Dependencies

Has this project been reviewed before?
I don't believe so.

Working test environment
The above Gerrit patch for WVUI demonstrates a way to build the code for the library using Rollup, includes a working configuration file, and is a good example of how this tool would be used.

Post-deployment
Design Systems Team and @egardner

Related Objects
Search...

Event Timeline

egardner created this task.Jun 4 2021, 6:23 PM
Restricted Application added a project: secscrum. · View Herald TranscriptJun 4 2021, 6:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
egardner added a project: Deprecated-Design-Systems-team-board (Design Systems Team Radar).Jun 4 2021, 6:23 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.Jun 8 2021, 3:53 PM
sbassett assigned this task to Reedy.Jul 1 2021, 6:32 PM
sbassett triaged this task as Medium priority.
sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.Jul 13 2021, 4:01 PM
Catrope added a parent task: T284341: Security Readiness Review For Vite.Jul 29 2021, 8:57 PM
Catrope subscribed.

Vite (for which there's a separate security readiness review task) depends on Rollup. I've linked the two tasks to (hopefully) make this relationship clearer.

sbassett mentioned this in T264822: (MS 7) Security Readiness Review For Wikidata Query Builder.Aug 9 2021, 2:49 PM
Ladsgroup subscribed.Aug 9 2021, 5:44 PM
Reedy removed a project: Deprecated-Design-Systems-team-board (Design Systems Team Radar).Sep 25 2021, 1:49 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Sep 25 2021, 2:38 PM
Reedy closed this task as Resolved.Oct 12 2021, 11:57 AM

Sorry for the delay in getting this finished off.

Security Review Summary - T284338 - 2021-09-25
**Last commit reviewed: https://github.com/rollup/rollup/tree/v2.57.0**

Summary

Overall, the current state of Rollup seems fine, with an overall risk rating of: low.

I will admit I've not dug into the individual plugins too much, but when it's mostly the same development team, this should be mostly encompassing. Similar goes for the vue maintained plugin, delegation to the basic review for Vue, and acceptance of using their packages.

Package is well used, actively maintained with regular releases, which do contain a range of different fixes, including those with

Test environment

Some feedback with regards to https://gerrit.wikimedia.org/r/c/wvui/+/694972, the patch is WIP (which is fine), but not passing CI (again not a major issue), and nor is there any apparent commit of the resultant build artefacts. While it's not absolutely necessary, it would have been helpful in terms of reviewing as a whole. And until T279108: Introduce a Front-end Build Step for MediaWiki Skins and Extensions is fully decided on, I believe we would be committing those sorts of outputs (for now at least), rather than just being a dynamic build step along the way.

It may only be done for ease of testing purposes, but we generally don't pin packages (in composer or npm) using semver constraints (as evident by every other package in package.json). Just something to be aware of, especially during wider usage. If you need/want the package kept upto date, use of LibUp would meet our more standard deployment criteria. Obviously the repo does have a package-lock.json, so things are at least reproducible, which does help mitigate that issue too.

General
The only apparent CVE I can find relating to rollup is https://nvd.nist.gov/vuln/detail/CVE-2020-7684, but it's not a (direct) dependancy of rollup itself, so not of any real concern.

There is currently no security policy, or any obvious way of reporting security issues against the project. https://github.com/rollup/rollup/issues/3980 has been filed (as part of the Drupal projects review for similar purposes), without any action/output just yet. There's also very little detail on what is considered "supported" releases. So for this purpose, we would want to keep ontop of package updates, especially when we roll this out more widely. Again, LibUp would be able to help out here.

However, the developers do seem generally active and responsive, and no real history of security issues (beyond the usual node package dependancy trees, and the security issues that some of them bring). Combining this with the regular releases is overall a good thing to see. This is backed up by npm audit on the v2.57.0 release being clean, but the older v2.50.0 release used in the example patch having one issue. Therefore shows good general project npm package hygeine. npm outdated does have some entries in both, but these are a non issue.

The package-lock.json file is committed and kept upto date. Various plugins seem to use other lock files (not necessarily package-lock.json), which is fine.

The mono repo at https://github.com/rollup/plugins uses pnpm for package/dependancy management, which has its own pnpm-lock.yaml file. Because, you know, what we needed was yet another package management tool...

The lack of support and security policy does come across as medium risk, but our usual mitigation and hygeine about those sorts of package updates (ie LibUp) should be enough mitigation to be considered low.

I will note that some of the upstreams aren't the most friendly to work with.

Vulnerable Packages - Production

v2.57.0: None!

Vulnerable Packages - Development

v2.57.0: None!

v2.50.0:

$ npm audit
# npm audit report

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://npmjs.com/advisories/1773
fix available via `npm audit fix`
node_modules/path-parse

1 moderate severity vulnerability

Outdated Packages
As reported via npm outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

v2.57.0:

Package                       Current    Wanted   Latest  Location                                  Depended by
@rollup/plugin-node-resolve    13.0.4    13.0.5   13.0.5  node_modules/@rollup/plugin-node-resolve  rollup
@types/node                  10.17.60  10.17.60  16.10.1  node_modules/@types/node                  rollup
colorette                       1.4.0     1.4.0   2.0.10  node_modules/colorette                    rollup
eslint-plugin-prettier          3.4.1     3.4.1    4.0.0  node_modules/eslint-plugin-prettier       rollup
husky                           6.0.0     6.0.0    7.0.2  node_modules/husky                        rollup
lint-staged                    10.5.4    10.5.4   11.1.2  node_modules/lint-staged                  rollup
mocha                           8.4.0     8.4.0    9.1.2  node_modules/mocha                        rollup
rollup                         2.56.3    2.57.0   2.57.0  node_modules/rollup                       rollup
terser                          5.8.0     5.9.0    5.9.0  node_modules/terser                       rollup

v2.50.0:

npm outdated
Package                            Current    Wanted   Latest  Location                                       Depended by
@rollup/plugin-alias                 3.1.2     3.1.5    3.1.5  node_modules/@rollup/plugin-alias              rollup
@rollup/plugin-commonjs           18.0.0-1  18.0.0-1   20.0.0  node_modules/@rollup/plugin-commonjs           rollup
@rollup/plugin-node-resolve         13.0.0    13.0.5   13.0.5  node_modules/@rollup/plugin-node-resolve       rollup
@rollup/plugin-replace               2.4.2     2.4.2    3.0.0  node_modules/@rollup/plugin-replace            rollup
@types/micromatch                    4.0.1     4.0.2    4.0.2  node_modules/@types/micromatch                 rollup
@types/node                       10.17.59  10.17.60  16.10.1  node_modules/@types/node                       rollup
@types/signal-exit                   3.0.0     3.0.1    3.0.1  node_modules/@types/signal-exit                rollup
@types/yargs-parser                 20.2.0    20.2.1   20.2.1  node_modules/@types/yargs-parser               rollup
@typescript-eslint/eslint-plugin    4.24.0    4.31.2   4.31.2  node_modules/@typescript-eslint/eslint-plugin  rollup
@typescript-eslint/parser           4.24.0    4.31.2   4.31.2  node_modules/@typescript-eslint/parser         rollup
acorn                                8.2.4     8.5.0    8.5.0  node_modules/acorn                             rollup
acorn-jsx                            5.3.1     5.3.2    5.3.2  node_modules/acorn-jsx                         rollup
acorn-walk                           8.1.0     8.2.0    8.2.0  node_modules/acorn-walk                        rollup
chokidar                             3.5.1     3.5.2    3.5.2  node_modules/chokidar                          rollup
colorette                            1.2.2     1.4.0   2.0.10  node_modules/colorette                         rollup
core-js                             3.12.0    3.18.0   3.18.0  node_modules/core-js                           rollup
es5-shim                            4.5.15     4.6.2    4.6.2  node_modules/es5-shim                          rollup
eslint                              7.26.0    7.32.0   7.32.0  node_modules/eslint                            rollup
eslint-plugin-import                2.23.2    2.24.2   2.24.2  node_modules/eslint-plugin-import              rollup
eslint-plugin-prettier               3.4.0     3.4.1    4.0.0  node_modules/eslint-plugin-prettier            rollup
execa                                5.0.0     5.1.1    5.1.1  node_modules/execa                             rollup
husky                                6.0.0     6.0.0    7.0.2  node_modules/husky                             rollup
lint-staged                         10.5.4    10.5.4   11.1.2  node_modules/lint-staged                       rollup
markdownlint-cli                    0.27.1    0.27.1   0.28.1  node_modules/markdownlint-cli                  rollup
mocha                                8.4.0     8.4.0    9.1.2  node_modules/mocha                             rollup
prettier                             2.2.1     2.4.1    2.4.1  node_modules/prettier                          rollup
rollup                              2.47.0    2.57.0   2.57.0  node_modules/rollup                            rollup
rollup-plugin-license                2.3.0     2.5.0    2.5.0  node_modules/rollup-plugin-license             rollup
signal-exit                          3.0.3     3.0.4    3.0.4  node_modules/signal-exit                       rollup
source-map-support                  0.5.19    0.5.20   0.5.20  node_modules/source-map-support                rollup
systemjs                             6.8.3    6.10.3   6.10.3  node_modules/systemjs                          rollup
terser                               5.7.0     5.9.0    5.9.0  node_modules/terser                            rollup
tslib                                2.2.0     2.3.1    2.3.1  node_modules/tslib                             rollup
typescript                           4.2.4     4.4.3    4.4.3  node_modules/typescript                        rollup
yargs-parser                        20.2.7    20.2.9   20.2.9  node_modules/yargs-parser                      rollup
sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.Oct 12 2021, 3:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits