Page MenuHomePhabricator

Investigate replacing vue-cli with vite and webpack with rollup for Toolhub
Open, Stalled, LowPublic

Description

Security Review Summary - T273020 - 2021-08-09
Last commit reviewed: d9e475d1ff13

[...snip...]

Build/Test steps
Currently, the code uses vue-cli-services to build its dist artifacts, which by default uses certain webpack dependencies. Given the complexity and known code quality issues of webpack, this will be categorized as a Medium Risk. I'm not certain of the end destination of Toolhub, but if it is to be hosted within "Wikimedia production", then the Security-Team (@Reedy, @Mstyles or myself) should likely be apprised of any webpack-related builds that go through gerrit, e.g. https://gerrit.wikimedia.org/r/641052 and https://gerrit.wikimedia.org/r/708629. Otherwise, the current recommended mitigation is to use vite/rollup as an alternative to webpack (e.g. T276366).

The patches for T276366: Wikidata Query Builder: replace vue-cli with vite and webpack with rollup also included a switch from node v10 to node v12. If that is a strict dependency this would be blocked on T284352: Upgrade Toolhub ui container from nodejs10 to nodejs12.