Page MenuHomePhabricator
Create Task
Maniphest T284341

Security Readiness Review For Vite
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:
Vite is a JS module bundler and development tool. From the project page:

Vite (French word for "fast", pronounced /vit/) is a build tool that aims to provide a faster and leaner development experience for modern web projects. It consists of two major parts

  • A dev server that provides rich feature enhancements over native ES modules, for example extremely fast Hot Module Replacement (HMR).
  • A build command that bundles your code with Rollup, pre-configured to output highly optimized static assets for production.

Description of how the tool will be used at WMF:
The Design Systems Team is looking into the current generation of JS module bundlers in relation to two projects: WVUI (which is currently bundled using Webpack, a tool we're looking to move away from), and a possible general-purpose front-end build step for MediaWiki extensions.

Relevant Phab tasks
https://phabricator.wikimedia.org/T272879
https://phabricator.wikimedia.org/T279108

Dependencies

  • Vite is built on top of two stand-alone projects, Rollup and ESBuild.
  • A recent version of Node.js is required (v12 or later)
  • Some first- or third-party plugins may be needed for certain feaures. Specifically, we'd want to use the vite-plugin-vue2 plugin to bundle Vue components.

Has this project been reviewed before?
No.

Working test environment
The above Gerrit patch for WVUI demonstrates a way to build the code for the WVUI library using Vite, includes a working configuration file, and is a good example of how this tool would be used.

Post-deployment
Design Systems Team and @egardner

Related Objects
Search...

Event Timeline

egardner created this task.Jun 4 2021, 6:32 PM
Restricted Application added a project: secscrum. · View Herald TranscriptJun 4 2021, 6:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
egardner added a project: Deprecated-Design-Systems-team-board (Design Systems Team Radar).Jun 4 2021, 6:33 PM
egardner updated the task description. (Show Details)
egardner updated the task description. (Show Details)
sbassett moved this task from Incoming to Back Orders on the secscrum board.Jun 8 2021, 3:53 PM
sbassett assigned this task to Mstyles.Jul 1 2021, 6:31 PM
sbassett triaged this task as Medium priority.
sbassett moved this task from Back Orders to In Progress on the secscrum board.
Mstyles added a comment.Jul 1 2021, 6:32 PM

@egardner is there a more targeted launch date, perhaps a month as opposed to a quarter?

sbassett moved this task from In Progress to Upcoming Quarter Planning Queue on the secscrum board.Jul 1 2021, 6:34 PM
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.Jul 13 2021, 4:01 PM
Catrope subscribed.Jul 29 2021, 8:56 PM

FYI, Wikidata query builder just started using Vite. The authors of that change may not have been aware of this security readiness review request https://gerrit.wikimedia.org/r/c/wikidata/query-builder/+/705353

Catrope added a subtask: T284338: Security Readiness Review For Rollup.js.Jul 29 2021, 8:57 PM

Vite depends on Rollup, which there's a separate security readiness review task for. I've linked the two tasks to (hopefully) make this relationship clearer.

sbassett mentioned this in T264822: (MS 7) Security Readiness Review For Wikidata Query Builder.Aug 9 2021, 2:49 PM
Ladsgroup subscribed.Aug 9 2021, 5:45 PM
Mstyles added a comment.Sep 30 2021, 9:29 PM

Security Review Summary - T284341 - 2021-09-30

Overall, the current vendor code under consideration...
with an overall risk rating of: medium

General Security Information

Statistic/InfoValueRisk
Repositoryhttps://github.com/vitejs/vite none
Relevant tag/branchmaster none
Last commit reviewed (if relevant)c87763c none
Recent contributions to code (6 months)>50 low
Active developers with > 10 commits18 low
Current overall usage31k stars, 2.1k forks low
Current open security issues0 none

Vulnerable Packages
snyk results:
18 total vulnerabilities reported
8 XSS Vulnerabilities - high

Outdated Packages
As reported via npm outdated:
none
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

General Security Issues
11 of the 18 reported vulnerabilities are in the playground package, which should be lower risk
There are 4 XSS vulns in the middleware package, which is higher risk
No security issues were reported in the vite github issues

Notes
We should avoid using the server side rendering feature as that is experimental: https://vitejs.dev/guide/ssr.html
If possible, we should address the XSS vulns via pull request to Vite, as the Vite seems to be a very active project

sbassett changed the task status from Open to Stalled.Oct 5 2021, 2:34 PM
sbassett moved this task from In Progress to Waiting on the secscrum board.
sbassett subscribed.Oct 5 2021, 2:38 PM

@egardner @Catrope - let us know if you have any questions on the review results above. It sounds like there are some issues around vulnerable dependencies which we'd likely want to mitigate, if possible. Otherwise, the current medium risk of Vite would require manager/director-level acceptance via our current risk management framework.

Reedy closed subtask T284338: Security Readiness Review For Rollup.js as Resolved.Oct 12 2021, 11:57 AM
Mstyles added subscribers: marcella, MarkTraceur.Oct 19 2021, 7:24 PM

@egardner @Catrope This is going into our risk registry next week and will be owned by @marcella and @MarkTraceur.

Catrope added a comment.Oct 20 2021, 11:19 PM

Thank you! Apologies for the late response. We can submit PRs for the XSS vulnerabilities upstream, I would be happy to work on that if you could share the details.

We also do not intend to use the SSR features in Vite. We are planning to do SSR eventually, but our tentative plans for that do not involve using Vite for it.

sbassett added a comment.EditedOct 22 2021, 3:00 PM
In T284341#7446466, @Catrope wrote:

...We can submit PRs for the XSS vulnerabilities upstream, I would be happy to work on that if you could share the details.

@Catrope -

It might just involve trivial version bumps or referencing a new commit sha version, if someone else has already done the security patching. I don't know if that's the case for any of the aforementioned npm dependencies, but it's likely at least worth checking recent versions, etc. If you or your team does get involved in patching upstream package vulns, can we track those as separate tasks related to this review task? They don't have to explicitly be sub-tasks, but referencing this review task would be great so that we can track them down the road. One of the future goals of the Security-Team is to better track vulnerability findings from various reviews (which will likely be mostly automated in the future) and analyze how many are eventually resolved. Thanks!

Mstyles added a comment.Oct 27 2021, 12:21 AM

Marking this as complete since the subtasks have been created with the open vulnerabilities.

Mstyles closed this task as Resolved.Oct 27 2021, 12:21 AM
Mstyles moved this task from Waiting to Our Part Is Done on the secscrum board.
Aklapper removed a subtask: T294396: XSS vulnerabilities in the Vite server package.Oct 27 2021, 8:36 AM
Aklapper removed a subtask: T294399: Path Traversal Vulnerabilities in Vite.
Aklapper added parent tasks: T294399: Path Traversal Vulnerabilities in Vite, T294396: XSS vulnerabilities in the Vite server package.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits