Page MenuHomePhabricator
Create Task
Maniphest T309077

Remove dependency on istanbul in Mathoid
Closed, ResolvedPublicSecurity
Actions

Description

The istanbul npm package is no longer maintained.

Right now, when running npm audit we get:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution in async                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ async                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.4                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ istanbul [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ istanbul > async                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-fwr7-v2mv-hh25            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 236 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Apparently, it can be replaced by nyc.

Details

Risk Rating
Low
Author Affiliation
WMF Technology Dept
SubjectRepoBranchLines +/-
Remove istanbul from package.jsonmediawiki/services/mathoidmaster+0 -334
Customize query in gerrit

Related Objects

Event Timeline

dom_walden created this task.May 24 2022, 8:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 24 2022, 8:02 AM
dom_walden added projects: Math, Mathoid.May 24 2022, 8:03 AM
dom_walden moved this task from Inbox to Doing on the Math board.May 25 2022, 7:41 AM
dom_walden moved this task from Doing to Inbox on the Math board.
sbassett subscribed.EditedMay 27 2022, 3:18 PM

@dom_walden - this issue was addressed in the change set for T309076, correct? Specifically: https://gerrit.wikimedia.org/r/799263. I'm going to resolve this task for now and I think T309076 can likely also be resolved, as the immediate issue described within that task has been resolved.

sbassett closed this task as Resolved.May 27 2022, 3:19 PM
sbassett claimed this task.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added projects: SecTeam-Processed, Vuln-VulnComponent.
dom_walden added a comment.May 27 2022, 3:20 PM
In T309077#7963354, @sbassett wrote:

@dom_walden - this issues was address in the change set for T309076, correct? Specifically: https://gerrit.wikimedia.org/r/799263. I'm going to resolve this task for now and I think T309076 can likely also be resolved, as the immediate issue described within that task has been resolved.

I am afraid not. Mathoid has its own dependency on istanbul which should be removed in a separate patch.

dom_walden added a comment.May 27 2022, 3:20 PM
In T309077#7963361, @dom_walden wrote:
In T309077#7963354, @sbassett wrote:

@dom_walden - this issues was address in the change set for T309076, correct? Specifically: https://gerrit.wikimedia.org/r/799263. I'm going to resolve this task for now and I think T309076 can likely also be resolved, as the immediate issue described within that task has been resolved.

I am afraid not. Mathoid has its own dependency on istanbul which should be removed in a separate patch.

I can probably do this myself, but haven't got around to it yet.

sbassett added a comment.May 27 2022, 3:22 PM
In T309077#7963361, @dom_walden wrote:

I am afraid not. Mathoid has its own dependency on istanbul which should be removed in a separate patch.

Ah, ok. Ostensibly, any owner/maintainer of mathoid should be able to do this as well.

Physikerwelt added a comment.May 27 2022, 4:35 PM

Actually one needs two persons, one doing the change and another one doing the review. That is the challenge. It has effectively been removed here https://gerrit.wikimedia.org/r/c/mediawiki/services/mathoid/+/494709/1/package.json in the context of T216191. However, unfortunately, I forgot to remove the dependency in package.json. Sorry.

sbassett added a comment.May 27 2022, 4:39 PM
In T309077#7963643, @Physikerwelt wrote:

However, unfortunately, I forgot to remove the dependency in package.json. Sorry.

No problem. So we just need one more change set to remove the package reference in package.json, correct? I'm happy to CR and even merge that.

Physikerwelt added a comment.May 27 2022, 4:43 PM

One question: Regarding current practices for nodejs projects: Do you always need to commit package-lock.json (this creates merge conflicts and makes the patch size indicator in Gerrit useless.

sbassett added a comment.May 27 2022, 4:58 PM
In T309077#7963686, @Physikerwelt wrote:

One question: Regarding current practices for nodejs projects: Do you always need to commit package-lock.json (this creates merge conflicts and makes the patch size indicator in Gerrit useless.

I believe this is still the standard, yes. And npm recommends that it be committed for several reasons.

Physikerwelt added a comment.May 27 2022, 5:48 PM

Okay. I added the package-lock file. In general, it makes sense, however, it does not fit well into the gerrit workflow.

sbassett added a subscriber: gerritbot.May 27 2022, 6:30 PM
gerritbot added a comment.May 31 2022, 3:55 PM

Change 800770 merged by jenkins-bot:

[mediawiki/services/mathoid@master] Remove istanbul from package.json

https://gerrit.wikimedia.org/r/800770

sbassett triaged this task as Low priority.May 31 2022, 4:39 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL