- Add the library as a dependency to extensions/Wikibase/composer.json
Library code on github: https://github.com/swaggest/json-diff
Library code on github: https://github.com/swaggest/json-diff
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Add experimental composer apitests job to Wikibase | integration/config | master | +1 -0 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T344228 Functionality for REST API v1 | |||
Resolved | WMDE-leszek | T306934 🌶️ Change elements of an item statement | |||
Resolved | WMDE-leszek | T316245 🌶️ Add `swaggest/json-diff` library as a Wikibase dependency |
Change 826548 had a related patch set uploaded (by Ollie Shotton; author: Ollie Shotton):
[mediawiki/vendor@master] Add swaggest/json-diff:3.8.3 for Wikibase REST API
Hello @Reedy @sbassett, maybe you could advise here. Please also direct our questions to other WMF Security staff member if that'd be more accurate.
I wonder how should we go about adding the said library added to mediawiki/vendor and shipped with Mediawiki to WMF servers. I admit I do not fully understand how has the T192453 concluded. The External libraries page does not mention the Third Party Code Review Checklist. How should we proceed with getting this library approved for WMF environments? Should I open the security review request ticket? Or is there some streamlined procedure for the third party libraries?
FWIW, I have run local-php-security-checker and snyk's php vulnerability check using your own php-security-tools over the library and no issues were reported.
Thanks
Change 826874 had a related patch set uploaded (by Jakob; author: Jakob):
[mediawiki/extensions/Wikibase@master] REST: Add JsonDiffStatementPatcher
Hey @WMDE-leszek - I think the result of T192453 was to just rely upon the third party checklist for now as a basic policy for security-reviewing vendor code. While that document is likely already a bit out-of-date, it should still serve as a good starting point. The Security-Team is happy to perform due-diligence reviews of new/significantly updated third-party packages and libraries intended for production deployment. You can submit a review request via our standard appsec review form, which will then get prioritized (per our appsec SOP) at the beginning of each quarter. I'll also plan to update the External libraries page with some clarifying information soon.
Change 828501 had a related patch set uploaded (by Jakob; author: Jakob):
[integration/config@master] Add experimental composer apitests job to Wikibase
Change 828501 merged by jenkins-bot:
[integration/config@master] Add experimental composer apitests job to Wikibase
adding the library to be published with mediawiki/Wikibase on WMF wikis via "mediawiki/vendor" package is out of scope here, and has been moved to a separate task: T316813 to not block development.