Page MenuHomePhabricator
Create Task
Maniphest T354881

[T-REF] Wikibase CI broken due to Tainted Reference Node 18 indirect crypto dependency incompatibility
Open, Needs TriagePublic
Actions

Description

Currently, Wikibase CI build fails the new Node18 job with this error coming from the Tainted References app/widget:

16:45:03 node:internal/crypto/hash:69
16:45:03   this[kHandle] = new _Hash(algorithm, xofLen);
16:45:03                   ^
16:45:03 
16:45:03 Error: error:0308010C:digital envelope routines::unsupported
16:45:03     at new Hash (node:internal/crypto/hash:69:19)
16:45:03     at Object.createHash (node:crypto:133:10)
16:45:03     at module.exports (/src/view/lib/wikibase-tainted-ref/node_modules/webpack/lib/util/createHash.js:135:53)
16:45:03     at NormalModule._initBuildHash (/src/view/lib/wikibase-tainted-ref/node_modules/webpack/lib/NormalModule.js:417:16)
16:45:03     at handleParseError (/src/view/lib/wikibase-tainted-ref/node_modules/webpack/lib/NormalModule.js:471:10)
16:45:03     at /src/view/lib/wikibase-tainted-ref/node_modules/webpack/lib/NormalModule.js:503:5
16:45:03     at /src/view/lib/wikibase-tainted-ref/node_modules/webpack/lib/NormalModule.js:358:12
16:45:03     at /src/view/lib/wikibase-tainted-ref/node_modules/loader-runner/lib/LoaderRunner.js:373:3
16:45:03     at iterateNormalLoaders (/src/view/lib/wikibase-tainted-ref/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
16:45:03     at Array.<anonymous> (/src/view/lib/wikibase-tainted-ref/node_modules/loader-runner/lib/LoaderRunner.js:205:4) {
16:45:03   opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
16:45:03   library: 'digital envelope routines',
16:45:03   reason: 'unsupported',
16:45:03   code: 'ERR_OSSL_EVP_UNSUPPORTED'
16:45:03 }
16:45:03 
16:45:03 Node.js v18.17.0
16:45:03 ERROR: "build:app -- --dest /tmp/tainted-refs-build" exited with 1.
16:45:03 ERROR: "test:distnodiff" exited with 1.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Skip tainted references test:distnodiff script to fix Wikibase CImediawiki/extensions/WikibaseREL1_40+1 -1
Skip tainted references test:distnodiff script to fix Wikibase CImediawiki/extensions/Wikibasewmf/1.42.0-wmf.13+1 -1
Skip tainted references test:distnodiff script to fix Wikibase CImediawiki/extensions/WikibaseREL1_41+1 -1
Skip tainted references test:distnodiff script to fix Wikibase CImediawiki/extensions/Wikibasemaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Michael created this task.Jan 11 2024, 4:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 11 2024, 4:05 PM
gerritbot added a comment.Jan 11 2024, 4:10 PM

Change 989897 had a related patch set uploaded (by Michael Große; author: Michael Große):

[mediawiki/extensions/Wikibase@master] Skip tainted references test:distnodiff script to fix Wikibase CI

https://gerrit.wikimedia.org/r/989897

gerritbot added a project: Patch-For-Review.Jan 11 2024, 4:10 PM
Lucas_Werkmeister_WMDE subscribed.Jan 11 2024, 4:17 PM
gerritbot added a comment.Jan 11 2024, 4:53 PM

Change 989897 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] Skip tainted references test:distnodiff script to fix Wikibase CI

https://gerrit.wikimedia.org/r/989897

Maintenance_bot removed a project: Patch-For-Review.Jan 11 2024, 5:30 PM
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.14; 2024-01-16).Jan 11 2024, 6:00 PM
WMDE-Fisch subscribed.Jan 12 2024, 10:39 AM

There's a similar issue on Page-Previews CI jobs. See https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Popups/+/989189 and https://integration.wikimedia.org/ci/job/mwgate-node18-docker/632/console

There seems to be a solution I found while googling https://paulyu.dev/article/fixing-node-digital-envelope-routines-error/

If that's fine for you I would hijack this issue and make it more general.

Michael added a comment.Jan 12 2024, 10:47 AM

From my side, feel free to do so. Though, I would hope that just updating all the dependencies would also update whatever outdated legacy open-ssl thing that is still referenced somehwere. So export NODE_OPTIONS=--openssl-legacy-provider maybe should just be a stop-gap.

WMDE-Fisch added a comment.Jan 12 2024, 10:51 AM
In T354881#9455750, @Michael wrote:

From my side, feel free to do so. Though, I would hope that just updating all the dependencies would also update whatever outdated legacy open-ssl thing that is still referenced somehwere. So export NODE_OPTIONS=--openssl-legacy-provider maybe should just be a stop-gap.

Good point. Yeah, maybe it makes sense to start with the updates to the dependencies and then it also makes sense to have a separate ticket for Page-Previews. Thanks!

hashar added subscribers: Jdforrester-WMF, hashar.Jan 12 2024, 10:54 AM

The mwgate-node18-docker job uses the container docker-registry.wikimedia.org/releng/node18-test:0.2.0-s2. It is based on Debian Bullseye. It has:

ii  libssl1.1:amd64 1.1.1w-0+deb11u1 amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssl         1.1.1w-0+deb11u1 amd64        Secure Sockets Layer toolkit - cryptographic utility

And I guess Node JS 18 broke it?

WMDE-Fisch added a comment.Jan 12 2024, 10:56 AM
In T354881#9455771, @hashar wrote:

The mwgate-node18-docker job uses the container docker-registry.wikimedia.org/releng/node18-test:0.2.0-s2. It is based on Debian Bullseye. It has:

ii  libssl1.1:amd64 1.1.1w-0+deb11u1 amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssl         1.1.1w-0+deb11u1 amd64        Secure Sockets Layer toolkit - cryptographic utility

And I guess Node JS 18 broke it?

Could be. At least it must be a very recent change.

Michael added a comment.Jan 12 2024, 10:58 AM

Mh, maybe? Though then I'm surprised that only so few apps are breaking. Could be that this is an issue where multiple things come together, some outdated npm dependencies + old openssl package in the base image? Updating that sounds also worthwhile if there is an update available.

WMDE-Fisch mentioned this in T354943: Page previews and MobileFrontend webpack builds broken by upgrade to Node 18.Jan 12 2024, 11:20 AM
hashar added a comment.Jan 12 2024, 11:33 AM

The jobs got migrated from Node 16 to Node 18 by https://gerrit.wikimedia.org/r/c/integration/config/+/989842

Then checking docker-registry.wikimedia.org/releng/node16-test , it is based on Bullseye as well and thus comes with the same ssl libs:

ii  libssl1.1:amd64 1.1.1w-0+deb11u1 amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssl         1.1.1w-0+deb11u1 amd64        Secure Sockets Layer toolkit - cryptographic utility

So my guess is Webpack needs to be updated to match whatever new expectations are imposed by NodeJS 18 crypto. That is potentially solveable by upgrading webpack to 5.x? There is eg https://github.com/webpack/webpack/issues/17805

Both Wikibase tainted refs and the Popups extensions have Webpack 4.x as a dependency (for Popups I think that seems to be a transient dependency of Storybook).

If the upgrade is non trivial, I can recreate the NodeJS 16 jobs and rollback the repos from Node 18 to 16.

hashar added a comment.Jan 12 2024, 11:40 AM

And here is the webpack issue: nodejs 17: digital envelope routines::unsupported #14532.

Apparently fixed as part of add wasm md4 implementation #14584 which if I get it right was released with webpack v5.61.0.

Michael added a comment.Jan 12 2024, 12:12 PM

At least for tainted references, the proper way forward is to update the dependencies, but I'm not sure how much work that would be. I dimly remember that there were some issues with that in the past.

I can't say much about the Popups extension. Though we found in other places that storybook is really only useful during active development and not so much during maintenance phases. So in some cases we have plainly deleted it, because it didn't seem time well spent to keep it updated and unused, and it can always be recreated from Git

Jdforrester-WMF added a comment.Jan 12 2024, 1:35 PM

The upgrade just for Webpack is pretty easy – https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CodeMirror/+/989887 is the upgrade for MediaWiki-extensions-CodeMirror, where I didn't need to make any config changes; for Page-Previews I've done https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Popups/+/989889 but unfortunately it's compounded by Storybook also being broken by the upgrade, and having seemingly dozens of breaking changes.

Michael added a comment.Jan 12 2024, 2:49 PM

I looked into updating webpack (vue-cli) for tainted references, but I ran into a problem with it failing to find some files that we include in scss: Syntax Error: HookWebpackError: Cannot find module '../../../assets/close-icon.svg'. I tried a lot, but couldn't find a solution for this.

Probably, the sustainable way forward is to ditch vue-cli and switch to vite instead. But that will be for [Archived]Wikidata Dev Team (Quality Tools "Sprint") to decide and to implement.

gerritbot added a comment.Jan 17 2024, 11:54 AM

Change 991062 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Michael Große):

[mediawiki/extensions/Wikibase@wmf/1.42.0-wmf.13] Skip tainted references test:distnodiff script to fix Wikibase CI

https://gerrit.wikimedia.org/r/991062

gerritbot added a project: Patch-For-Review.Jan 17 2024, 11:54 AM
gerritbot added a comment.Jan 17 2024, 1:31 PM

Change 991329 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Michael Große):

[mediawiki/extensions/Wikibase@REL1_41] Skip tainted references test:distnodiff script to fix Wikibase CI

https://gerrit.wikimedia.org/r/991329

gerritbot added a comment.Jan 17 2024, 2:01 PM

Change 991329 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@REL1_41] Skip tainted references test:distnodiff script to fix Wikibase CI

https://gerrit.wikimedia.org/r/991329

gerritbot added a comment.Jan 17 2024, 2:39 PM

Change 991331 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Michael Große):

[mediawiki/extensions/Wikibase@REL1_40] Skip tainted references test:distnodiff script to fix Wikibase CI

https://gerrit.wikimedia.org/r/991331

gerritbot added a comment.Jan 17 2024, 2:42 PM

Change 991062 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@wmf/1.42.0-wmf.13] Skip tainted references test:distnodiff script to fix Wikibase CI

https://gerrit.wikimedia.org/r/991062

Stashbot added a comment.Jan 17 2024, 2:43 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-17T14:43:11Z] <logmsgbot> lucaswerkmeister-wmde@deploy2002 Started scap: Backport for [[gerrit:991062|Skip tainted references test:distnodiff script to fix Wikibase CI (T354881)]], [[gerrit:991060|Only build result entries for used wbsearchentities results (T355053)]]

Stashbot mentioned this in T355053: Only create needed search result entries in wbsearchentities.Jan 17 2024, 2:43 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-17T14:44:39Z] <logmsgbot> lucaswerkmeister-wmde@deploy2002 lucaswerkmeister-wmde: Backport for [[gerrit:991062|Skip tainted references test:distnodiff script to fix Wikibase CI (T354881)]], [[gerrit:991060|Only build result entries for used wbsearchentities results (T355053)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Jan 17 2024, 2:51 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-17T14:51:40Z] <logmsgbot> lucaswerkmeister-wmde@deploy2002 Finished scap: Backport for [[gerrit:991062|Skip tainted references test:distnodiff script to fix Wikibase CI (T354881)]], [[gerrit:991060|Only build result entries for used wbsearchentities results (T355053)]] (duration: 08m 28s)

gerritbot added a comment.Jan 17 2024, 3:30 PM

Change 991331 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@REL1_40] Skip tainted references test:distnodiff script to fix Wikibase CI

https://gerrit.wikimedia.org/r/991331

ReleaseTaggerBot edited projects, added MW-1.42-notes (1.42.0-wmf.13; 2024-01-09 ); removed MW-1.42-notes (1.42.0-wmf.14; 2024-01-16).Jan 17 2024, 4:00 PM
ArthurTaylor renamed this task from Wikibase CI broken due to Tainted Reference Node 18 indirect crypto dependency incompatibility to [T-REF] Wikibase CI broken due to Tainted Reference Node 18 indirect crypto dependency incompatibility.Feb 2 2024, 11:00 AM
WMDE-Fisch unsubscribed.Feb 2 2024, 11:06 AM
ArthurTaylor moved this task from Incoming to [QT] By Project on the wmde-wikidata-tech board.Feb 2 2024, 11:20 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits