Page MenuHomePhabricator

Update nodejs libraries that fall within current semver constraints
Closed, ResolvedPublic

Description

Security Review Summary - T273020 - 2021-08-09
Last commit reviewed: d9e475d1ff13

[...snip...]

PackageCurrentWantedLatest
@casl/abilityMISSING5.3.15.3.1
@casl/vueMISSING1.2.22.1.1
@wikimedia/language-data1.0.01.0.31.0.3
banana-i18n2.0.02.2.02.2.0
core-jsMISSING3.16.13.16.1
swagger-client3.12.23.15.03.15.0
vue-fragMISSING1.1.51.1.5
vue-i18n8.22.48.25.08.25.0
vue-metaMISSING2.4.02.4.0
vue-router3.4.93.5.23.5.2
vuetify2.4.32.5.82.5.8
vuex3.6.03.6.23.6.2
@wikimedia/jsonschema-tools0.9.00.9.00.10.4
chart.js2.9.42.9.43.5.0
stylelint-config-wikimedia0.10.30.10.30.11.1
vue2.6.122.6.142.6.14
vue-template-compiler2.6.122.6.142.6.14
webpack-bundle-tracker0.4.30.4.31.2.0

Not all of these are a simple npm update call to fix, but we should get as many as we can. Tasks like T279394: Upgrade chart.js to 3.x can be made for breaking changes that should be looked at more carefully before merging.

Event Timeline

I have generated fresh npm outdated results from my local HEAD in part because the table from the security review appears to have been created from a partial install (the "MISSING" current versions) and in part because there have been some package changes on the main branch since the reviewed commit was tagged. The "Notes" column will collect information on difficult or unneeded updates.

PackageCurrentWantedLatestNotes
@casl/vue1.2.21.2.22.1.12.x is for Vue 3.x, 1.2.2 is the latest Vue 2.x compatible release
@intlify/eslint-plugin-vue-i18n0.11.10.11.10.12.0
@vue/test-utils1.2.11.2.21.2.2
@wikimedia/jsonschema-tools0.9.00.9.00.10.4
@wikimedia/language-data1.0.21.0.31.0.3
banana-i18n2.1.02.2.02.2.0
chart.js2.9.42.9.43.5.0T279394: Upgrade chart.js to 3.x
core-js3.12.13.16.13.16.1
eslint7.26.07.32.07.32.0
eslint-plugin-vuetify1.0.0-beta.81.0.11.0.1
mocha8.4.08.4.09.0.3v9.0.3 drops support for node v10. Blocked by T284352: Upgrade Toolhub ui container from nodejs10 to nodejs12
sass1.32.131.37.51.37.5
sass-loader10.2.010.2.012.1.0v11.x and v12.x require webpack v5. webpack@"^4.0.0" is a requirement of @vue/cli-service@4.5.13. 10.2.0 is the last webpack v4.x compatible version.
sinon10.0.010.0.011.1.2
sinon-chai3.6.03.7.03.7.0
stylelint-config-wikimedia0.10.30.10.30.11.1
swagger-client3.13.33.15.03.15.0Library apprently does not follow SemVer rules. v3.15.0 requires node v12.4 and v.3.14.0 actually does as well due to it's dependency on formdata-node. We can update to vv3.13.7 and/or wait for T284352: Upgrade Toolhub ui container from nodejs10 to nodejs12
vue2.6.122.6.142.6.14
vue-cli-plugin-vuetify2.4.02.4.22.4.2
vue-i18n8.24.48.25.08.25.0
vue-router3.5.13.5.23.5.2
vue-template-compiler2.6.122.6.142.6.14
vuetify2.5.02.5.82.5.8
webpack-bundle-tracker0.4.30.4.31.2.0Needs to match version of python library django-webpack-loader, current max of 1.1.0

Change 712500 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] ui: Upgrade nodejs libs

https://gerrit.wikimedia.org/r/712500

Change 712501 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] ui: `npm audit fix` for path-parse & url-parse

https://gerrit.wikimedia.org/r/712501

After the proposed patches, this is what the npm outdated report looks like:

$ npm outdated
Package                 Current  Wanted  Latest  Location
@casl/vue                 1.2.3   1.2.3   2.1.1  toolhub
chart.js                  2.9.4   2.9.4   3.5.0  toolhub
mocha                     8.4.0   8.4.0   9.0.3  toolhub
sass-loader              10.2.0  10.2.0  12.1.0  toolhub
swagger-client           3.13.7  3.13.7  3.15.0  toolhub
webpack-bundle-tracker    0.4.3   0.4.3   1.2.0  toolhub

These are all currently blocked on something:

bd808 moved this task from Backlog to Review on the Toolhub board.

Change 712500 merged by jenkins-bot:

[wikimedia/toolhub@main] ui: Upgrade nodejs libs

https://gerrit.wikimedia.org/r/712500

Change 712501 merged by jenkins-bot:

[wikimedia/toolhub@main] ui: `npm audit fix` for path-parse & url-parse

https://gerrit.wikimedia.org/r/712501