Not all of these are a simple npm update call to fix, but we should get as many as we can. Tasks like T279394: Upgrade chart.js to 3.x can be made for breaking changes that should be looked at more carefully before merging.
Description
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
ui: `npm audit fix` for path-parse & url-parse | wikimedia/toolhub | main | +6 -6 | |
ui: Upgrade nodejs libs | wikimedia/toolhub | main | +561 -1 K |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T288685 Establish active/active multi-dc support for Toolhub | |||
Resolved | bd808 | T115650 Create an authoritative and well promoted catalog of Wikimedia tools | |||
Resolved | bd808 | T271483 Complete and announce initial production deployment of Toolhub | |||
Resolved | sbassett | T273020 Security Readiness Review For Toolhub | |||
Resolved | bd808 | T288542 Update nodejs libraries that fall within current semver constraints |
Event Timeline
I have generated fresh npm outdated results from my local HEAD in part because the table from the security review appears to have been created from a partial install (the "MISSING" current versions) and in part because there have been some package changes on the main branch since the reviewed commit was tagged. The "Notes" column will collect information on difficult or unneeded updates.
Package | Current | Wanted | Latest | Notes |
---|---|---|---|---|
@casl/vue | 1.2.2 | 1.2.2 | 2.1.1 | 2.x is for Vue 3.x, 1.2.2 is the latest Vue 2.x compatible release |
@intlify/eslint-plugin-vue-i18n | 0.11.1 | 0.11.1 | 0.12.0 | |
@vue/test-utils | 1.2.1 | 1.2.2 | 1.2.2 | |
@wikimedia/jsonschema-tools | 0.9.0 | 0.9.0 | 0.10.4 | |
@wikimedia/language-data | 1.0.2 | 1.0.3 | 1.0.3 | |
banana-i18n | 2.1.0 | 2.2.0 | 2.2.0 | |
chart.js | 2.9.4 | 2.9.4 | 3.5.0 | T279394: Upgrade chart.js to 3.x |
core-js | 3.12.1 | 3.16.1 | 3.16.1 | |
eslint | 7.26.0 | 7.32.0 | 7.32.0 | |
eslint-plugin-vuetify | 1.0.0-beta.8 | 1.0.1 | 1.0.1 | |
mocha | 8.4.0 | 8.4.0 | 9.0.3 | v9.0.3 drops support for node v10. Blocked by T284352: Upgrade Toolhub ui container from nodejs10 to nodejs12 (or newer) |
sass | 1.32.13 | 1.37.5 | 1.37.5 | |
sass-loader | 10.2.0 | 10.2.0 | 12.1.0 | v11.x and v12.x require webpack v5. webpack@"^4.0.0" is a requirement of @vue/cli-service@4.5.13. 10.2.0 is the last webpack v4.x compatible version. |
sinon | 10.0.0 | 10.0.0 | 11.1.2 | |
sinon-chai | 3.6.0 | 3.7.0 | 3.7.0 | |
stylelint-config-wikimedia | 0.10.3 | 0.10.3 | 0.11.1 | |
swagger-client | 3.13.3 | 3.15.0 | 3.15.0 | Library apprently does not follow SemVer rules. v3.15.0 requires node v12.4 and v.3.14.0 actually does as well due to it's dependency on formdata-node. We can update to vv3.13.7 and/or wait for T284352: Upgrade Toolhub ui container from nodejs10 to nodejs12 (or newer) |
vue | 2.6.12 | 2.6.14 | 2.6.14 | |
vue-cli-plugin-vuetify | 2.4.0 | 2.4.2 | 2.4.2 | |
vue-i18n | 8.24.4 | 8.25.0 | 8.25.0 | |
vue-router | 3.5.1 | 3.5.2 | 3.5.2 | |
vue-template-compiler | 2.6.12 | 2.6.14 | 2.6.14 | |
vuetify | 2.5.0 | 2.5.8 | 2.5.8 | |
webpack-bundle-tracker | 0.4.3 | 0.4.3 | 1.2.0 | Needs to match version of python library django-webpack-loader, current max of 1.1.0 |
Change 712500 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):
[wikimedia/toolhub@main] ui: Upgrade nodejs libs
Change 712501 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):
[wikimedia/toolhub@main] ui: `npm audit fix` for path-parse & url-parse
After the proposed patches, this is what the npm outdated report looks like:
$ npm outdated Package Current Wanted Latest Location @casl/vue 1.2.3 1.2.3 2.1.1 toolhub chart.js 2.9.4 2.9.4 3.5.0 toolhub mocha 8.4.0 8.4.0 9.0.3 toolhub sass-loader 10.2.0 10.2.0 12.1.0 toolhub swagger-client 3.13.7 3.13.7 3.15.0 toolhub webpack-bundle-tracker 0.4.3 0.4.3 1.2.0 toolhub
These are all currently blocked on something:
- @casl/vue@2.1.1 requires vue 3.x
- T279394: Upgrade chart.js to 3.x
- mocha@9.0.3, sass-loader@12.1.0, & swagger-client@3.15.0 all depend on T284352: Upgrade Toolhub ui container from nodejs10 to nodejs12 (or newer)
- webpack-bundle-tracker@1.2.0 has no matching python library version yet. webpack-bundle-tracker@1.1.0 is possible, but not yet actioned on.
Change 712500 merged by jenkins-bot:
[wikimedia/toolhub@main] ui: Upgrade nodejs libs
Change 712501 merged by jenkins-bot:
[wikimedia/toolhub@main] ui: `npm audit fix` for path-parse & url-parse