Page MenuHomePhabricator
Create Task
Maniphest T288542

Update nodejs libraries that fall within current semver constraints
Closed, ResolvedPublic
Actions

Description

In T273020#7271039, @sbassett wrote:

Security Review Summary - T273020 - 2021-08-09
Last commit reviewed: d9e475d1ff13

[...snip...]

PackageCurrentWantedLatest
@casl/abilityMISSING5.3.15.3.1
@casl/vueMISSING1.2.22.1.1
@wikimedia/language-data1.0.01.0.31.0.3
banana-i18n2.0.02.2.02.2.0
core-jsMISSING3.16.13.16.1
swagger-client3.12.23.15.03.15.0
vue-fragMISSING1.1.51.1.5
vue-i18n8.22.48.25.08.25.0
vue-metaMISSING2.4.02.4.0
vue-router3.4.93.5.23.5.2
vuetify2.4.32.5.82.5.8
vuex3.6.03.6.23.6.2
@wikimedia/jsonschema-tools0.9.00.9.00.10.4
chart.js2.9.42.9.43.5.0
stylelint-config-wikimedia0.10.30.10.30.11.1
vue2.6.122.6.142.6.14
vue-template-compiler2.6.122.6.142.6.14
webpack-bundle-tracker0.4.30.4.31.2.0

Not all of these are a simple npm update call to fix, but we should get as many as we can. Tasks like T279394: Upgrade chart.js to 3.x can be made for breaking changes that should be looked at more carefully before merging.

Details

SubjectRepoBranchLines +/-
ui: `npm audit fix` for path-parse & url-parsewikimedia/toolhubmain+6 -6
ui: Upgrade nodejs libswikimedia/toolhubmain+561 -1 K
Customize query in gerrit

Related Objects
Search...

Event Timeline

bd808 created this task.Aug 10 2021, 4:48 PM
bd808 mentioned this in T273020: Security Readiness Review For Toolhub.Aug 10 2021, 6:11 PM
bd808 added a comment.EditedAug 11 2021, 12:55 AM

I have generated fresh npm outdated results from my local HEAD in part because the table from the security review appears to have been created from a partial install (the "MISSING" current versions) and in part because there have been some package changes on the main branch since the reviewed commit was tagged. The "Notes" column will collect information on difficult or unneeded updates.

PackageCurrentWantedLatestNotes
@casl/vue1.2.21.2.22.1.12.x is for Vue 3.x, 1.2.2 is the latest Vue 2.x compatible release
@intlify/eslint-plugin-vue-i18n0.11.10.11.10.12.0
@vue/test-utils1.2.11.2.21.2.2
@wikimedia/jsonschema-tools0.9.00.9.00.10.4
@wikimedia/language-data1.0.21.0.31.0.3
banana-i18n2.1.02.2.02.2.0
chart.js2.9.42.9.43.5.0T279394: Upgrade chart.js to 3.x
core-js3.12.13.16.13.16.1
eslint7.26.07.32.07.32.0
eslint-plugin-vuetify1.0.0-beta.81.0.11.0.1
mocha8.4.08.4.09.0.3v9.0.3 drops support for node v10. Blocked by T284352: Upgrade Toolhub ui container from nodejs10 to nodejs12 (or newer)
sass1.32.131.37.51.37.5
sass-loader10.2.010.2.012.1.0v11.x and v12.x require webpack v5. webpack@"^4.0.0" is a requirement of @vue/cli-service@4.5.13. 10.2.0 is the last webpack v4.x compatible version.
sinon10.0.010.0.011.1.2
sinon-chai3.6.03.7.03.7.0
stylelint-config-wikimedia0.10.30.10.30.11.1
swagger-client3.13.33.15.03.15.0Library apprently does not follow SemVer rules. v3.15.0 requires node v12.4 and v.3.14.0 actually does as well due to it's dependency on formdata-node. We can update to vv3.13.7 and/or wait for T284352: Upgrade Toolhub ui container from nodejs10 to nodejs12 (or newer)
vue2.6.122.6.142.6.14
vue-cli-plugin-vuetify2.4.02.4.22.4.2
vue-i18n8.24.48.25.08.25.0
vue-router3.5.13.5.23.5.2
vue-template-compiler2.6.122.6.142.6.14
vuetify2.5.02.5.82.5.8
webpack-bundle-tracker0.4.30.4.31.2.0Needs to match version of python library django-webpack-loader, current max of 1.1.0
bd808 mentioned this in T284346: Provide a node 12 production image (based on bullseye?).Aug 12 2021, 12:07 AM
gerritbot added a comment.Aug 12 2021, 5:58 PM

Change 712500 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] ui: Upgrade nodejs libs

https://gerrit.wikimedia.org/r/712500

gerritbot added a project: Patch-For-Review.Aug 12 2021, 5:58 PM

Change 712501 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] ui: `npm audit fix` for path-parse & url-parse

https://gerrit.wikimedia.org/r/712501

bd808 added a comment.Aug 12 2021, 6:04 PM

After the proposed patches, this is what the npm outdated report looks like:

$ npm outdated
Package                 Current  Wanted  Latest  Location
@casl/vue                 1.2.3   1.2.3   2.1.1  toolhub
chart.js                  2.9.4   2.9.4   3.5.0  toolhub
mocha                     8.4.0   8.4.0   9.0.3  toolhub
sass-loader              10.2.0  10.2.0  12.1.0  toolhub
swagger-client           3.13.7  3.13.7  3.15.0  toolhub
webpack-bundle-tracker    0.4.3   0.4.3   1.2.0  toolhub

These are all currently blocked on something:

bd808 claimed this task.Aug 12 2021, 6:09 PM
bd808 moved this task from Backlog to Review on the Toolhub board.
Restricted Application added a project: User-bd808. · View Herald TranscriptAug 12 2021, 6:09 PM
gerritbot added a comment.Aug 12 2021, 6:35 PM

Change 712500 merged by jenkins-bot:

[wikimedia/toolhub@main] ui: Upgrade nodejs libs

https://gerrit.wikimedia.org/r/712500

gerritbot added a comment.Aug 12 2021, 6:35 PM

Change 712501 merged by jenkins-bot:

[wikimedia/toolhub@main] ui: `npm audit fix` for path-parse & url-parse

https://gerrit.wikimedia.org/r/712501

Maintenance_bot removed a project: Patch-For-Review.Aug 12 2021, 7:10 PM
bd808 closed this task as Resolved.Aug 13 2021, 7:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL