Page MenuHomePhabricator
Create Task
Maniphest T288768

Security Readiness Review For Vuex 4 (upgrade from Vuex 3)
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:
Vuex is a state management system designed to be used with Vue.

Description of how the tool will be used at WMF:
Vuex will be used for more complex Vue-based front-end applications. Currently, Vuex 3.1.3 (which works with Vue 2.x) is used in production by the MediaSearch and MachineVision projects.

Dependencies
Vue 3.x (for which a security readiness review is requested in T257734)

Has this project been reviewed before?
Older versions of both Vue and Vuex were reviewed in T168264

Working test environment
https://codesandbox.io/s/flamboyant-bogdan-fm3vy?file=/src/main.js

Post-deployment
The Design Systems team will continue to be responsible for the Vue ecosystem in MediaWiki.

Details

Author Affiliation
WMF Product

Related Objects
Search...

Event Timeline

Catrope created this task.Aug 12 2021, 7:03 PM
Restricted Application added a project: secscrum. · View Herald TranscriptAug 12 2021, 7:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Catrope added a parent task: T257734: Security Readiness Review For Vue version 3.Aug 12 2021, 7:03 PM
Catrope mentioned this in T289017: [EPIC] <Core Technology> Upgrade MediaWiki projects from Vue 2 to Vue 3.Aug 16 2021, 11:08 PM
Catrope added a parent task: T289017: [EPIC] <Core Technology> Upgrade MediaWiki projects from Vue 2 to Vue 3.Aug 16 2021, 11:18 PM
Catrope removed a parent task: T257734: Security Readiness Review For Vue version 3.
Catrope moved this task from Untriaged Backlog to Design Systems Team Radar on the Deprecated-Design-Systems-team-board board.Aug 17 2021, 5:56 PM
Catrope edited projects, added Deprecated-Design-Systems-team-board (Design Systems Team Radar); removed Deprecated-Design-Systems-team-board.
sbassett moved this task from Incoming to Back Orders on the secscrum board.Aug 18 2021, 3:38 PM
sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.Aug 19 2021, 6:20 PM
sbassett moved this task from Upcoming Quarter Planning Queue to Back Orders on the secscrum board.Aug 27 2021, 6:28 PM
sbassett mentioned this in T257734: Security Readiness Review For Vue version 3.Aug 27 2021, 6:53 PM
sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.Oct 5 2021, 5:37 PM
Mstyles claimed this task.Oct 5 2021, 5:40 PM
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.Oct 5 2021, 5:41 PM
Mstyles added a comment.Dec 7 2021, 2:10 AM

Security Review Summary - T288768 - 2021-12-06

Overall, the current vendor code under consideration...
with an overall risk rating of: medium

Vuex 4

General Security Information

Statistic/InfoValueRisk
Repositoryhttps://github.com/vuejs/vuex/tree/4.0 none
Relevant tag/branch4.0 none
Last commit reviewed (if relevant)eb52dfa none
Recent contributions to code (6 months)19 medium
Active developers with > 10 commits8 low
Current overall usage27k stars, 9.2k forks low
Current open security issues0 none

Vulnerable Packages
13 high and 1 critical vulnerability found in dev dependencies
Risk: medium
Dev dependencies can be exploited, but this was lowered from high risk since the dependencies are dev only

Outdated Packages
As reported via npm outdated:

PackageCurrentWantedLatest
@babel/core7.14.37.16.07.16.0
@babel/preset-env7.14.27.16.47.16.4
@rollup/plugin-commonjs19.0.019.0.221.0.1
@rollup/plugin-node-resolve13.0.013.0.613.0.6
@rollup/plugin-replace2.4.22.4.23.0.0
@types/node15.6.015.14.916.11.9
@vue/compiler-sfc3.2.203.2.223.2.22
@vue/devtools-api6.0.0-beta.116.0.0-beta.20.16.0.0-beta.20.1
babel-jest26.6.326.6.327.3.1
babel-loader8.2.28.2.38.2.3
chalk4.1.14.1.24.1.2
css-loader2.1.12.1.16.5.1
eslint7.27.07.32.08.3.0
execa5.0.05.1.16.0.0
jest26.6.326.6.327.3.1
puppeteer9.1.19.1.111.0.0
regenerator-runtime0.13.70.13.90.13.9
rollup2.58.02.60.12.60.1
start-server-and-test1.12.31.14.01.14.0
typescript4.2.44.5.24.5.2
vitepress0.20.00.20.10.20.1
vue3.2.203.2.222.6.14
vue-loader16.5.016.8.315.9.8
webpack4.44.24.46.05.64.2
webpack-dev-middleware3.7.23.7.35.2.2
webpack-hot-middleware2.25.02.25.12.25.1

Risk: low.

Static Analysis Results
Running semgrep with the OWASP Top 10 policy and general CI had zero findings. Using NJSscan did return a couple items,
but nothing of note.

Risk: low.

General Security Issues

  1. There is an open PR to the conventional-changelog package to update the vulnerable handlebars version, but it's been open since May with no action
  2. There are a high number of outdated packages, but none seem to have any noted vulnerabilities to be concerned about
sbassett moved this task from In Progress to Waiting on the secscrum board.Dec 7 2021, 4:56 PM
sbassett changed the task status from Open to In Progress.Dec 8 2021, 9:54 PM
sbassett triaged this task as Low priority.
sbassett added subscribers: dr0ptp4kt, sbassett.Jan 11 2022, 8:01 PM

Hey @Catrope (and your current director, @dr0ptp4kt, as recorded in Namely) -

We've entered this as an accepted medium risk into the Security-Team's risk registry, per @Mstyles's findings above. If you have any questions, please first refer to our current (internal) risk management framework. If any risk treatment or mitigation plans are to be created, please feel free to follow up here with that information. Thanks.

sbassett closed this task as Resolved.Jan 11 2022, 8:01 PM
sbassett moved this task from Waiting to Our Part Is Done on the secscrum board.
AnneT mentioned this in T308495: Application Security Review Request : Pinia.May 16 2022, 8:37 PM
Sgs mentioned this in T318854: Application Security Review Request : d3.js.Sep 28 2022, 6:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits