Page MenuHomePhabricator

Security Readiness Review For Vite
Open, Stalled, MediumPublic

Description

Project Information

Description of the tool/project:
Vite is a JS module bundler and development tool. From the project page:

Vite (French word for "fast", pronounced /vit/) is a build tool that aims to provide a faster and leaner development experience for modern web projects. It consists of two major parts

  • A dev server that provides rich feature enhancements over native ES modules, for example extremely fast Hot Module Replacement (HMR).
  • A build command that bundles your code with Rollup, pre-configured to output highly optimized static assets for production.

Description of how the tool will be used at WMF:
The Design Systems Team is looking into the current generation of JS module bundlers in relation to two projects: WVUI (which is currently bundled using Webpack, a tool we're looking to move away from), and a possible general-purpose front-end build step for MediaWiki extensions.

Relevant Phab tasks
https://phabricator.wikimedia.org/T272879
https://phabricator.wikimedia.org/T279108

Dependencies

  • Vite is built on top of two stand-alone projects, Rollup and ESBuild.
  • A recent version of Node.js is required (v12 or later)
  • Some first- or third-party plugins may be needed for certain feaures. Specifically, we'd want to use the vite-plugin-vue2 plugin to bundle Vue components.

Has this project been reviewed before?
No.

Working test environment
The above Gerrit patch for WVUI demonstrates a way to build the code for the WVUI library using Vite, includes a working configuration file, and is a good example of how this tool would be used.

Post-deployment
Design Systems Team and @egardner

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett triaged this task as Medium priority.
sbassett moved this task from Back Orders to In Progress on the secscrum board.

@egardner is there a more targeted launch date, perhaps a month as opposed to a quarter?

FYI, Wikidata query builder just started using Vite. The authors of that change may not have been aware of this security readiness review request https://gerrit.wikimedia.org/r/c/wikidata/query-builder/+/705353

Vite depends on Rollup, which there's a separate security readiness review task for. I've linked the two tasks to (hopefully) make this relationship clearer.

Security Review Summary - T284341 - 2021-09-30

Overall, the current vendor code under consideration...
with an overall risk rating of: medium

General Security Information

Statistic/InfoValueRisk
Repositoryhttps://github.com/vitejs/vite none
Relevant tag/branchmaster none
Last commit reviewed (if relevant)c87763c none
Recent contributions to code (6 months)>50 low
Active developers with > 10 commits18 low
Current overall usage31k stars, 2.1k forks low
Current open security issues0 none

Vulnerable Packages
snyk results:
18 total vulnerabilities reported
8 XSS Vulnerabilities - high

Outdated Packages
As reported via npm outdated:
none
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

General Security Issues
11 of the 18 reported vulnerabilities are in the playground package, which should be lower risk
There are 4 XSS vulns in the middleware package, which is higher risk
No security issues were reported in the vite github issues

Notes
We should avoid using the server side rendering feature as that is experimental: https://vitejs.dev/guide/ssr.html
If possible, we should address the XSS vulns via pull request to Vite, as the Vite seems to be a very active project

sbassett changed the task status from Open to Stalled.Tue, Oct 5, 2:34 PM
sbassett moved this task from In Progress to Waiting on the secscrum board.

@egardner @Catrope - let us know if you have any questions on the review results above. It sounds like there are some issues around vulnerable dependencies which we'd likely want to mitigate, if possible. Otherwise, the current medium risk of Vite would require manager/director-level acceptance via our current risk management framework.

@egardner @Catrope This is going into our risk registry next week and will be owned by @marcella and @MarkTraceur.

Thank you! Apologies for the late response. We can submit PRs for the XSS vulnerabilities upstream, I would be happy to work on that if you could share the details.

We also do not intend to use the SSR features in Vite. We are planning to do SSR eventually, but our tentative plans for that do not involve using Vite for it.

...We can submit PRs for the XSS vulnerabilities upstream, I would be happy to work on that if you could share the details.

@Catrope -

It might just involve trivial version bumps or referencing a new commit sha version, if someone else has already done the security patching. I don't know if that's the case for any of the aforementioned npm dependencies, but it's likely at least worth checking recent versions, etc. If you or your team does get involved in patching upstream package vulns, can we track those as separate tasks related to this review task? They don't have to explicitly be sub-tasks, but referencing this review task would be great so that we can track them down the road. One of the future goals of the Security-Team is to better track vulnerability findings from various reviews (which will likely be mostly automated in the future) and analyze how many are eventually resolved. Thanks!