[Wikidata-bugs] [Maniphest] [Commented On] T207988: Update grunt to 1.0.3 for AdvancedSearch and WikibaseQualityConstraints

[Tim_WMDE]

Tim_WMDE added a comment.
Yeah, this ticket has nothing left to do, thanks.TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Lucas_Werkmeister_WMDE, Tim_WMDECc: Lucas_Werkmeister_WMDE, Legoktm, Tim_WMDE, gerritbot, gabriel-wmde, Umherirrender, Aklapper, CucyNoiD, Nandana, NebulousIris, Gaboe420, A.S.Kochergin, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, God, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Bsandipan, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, LawExplorer, Lea_WMDE, Lewizho99, Maathavan, Agabi10, KasiaWMDE, Wikidata-bugs, aude, jayvdb, Tobi_WMDE_SW, Mbch331, hashar___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T207988: Update grunt to 1.0.3 for AdvancedSearch and WikibaseQualityConstraints

[gerritbot]

gerritbot added a comment.
Change 470527 merged by jenkins-bot:
[mediawiki/extensions/WikibaseQualityConstraints@master] Update npm deps & fix newly found styling issues

https://gerrit.wikimedia.org/r/470527TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: gerritbotCc: Legoktm, Tim_WMDE, gerritbot, gabriel-wmde, Umherirrender, Aklapper, CucyNoiD, Nandana, NebulousIris, Gaboe420, A.S.Kochergin, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, God, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Bsandipan, Lordiis, Lucas_Werkmeister_WMDE, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, LawExplorer, Lea_WMDE, Lewizho99, Maathavan, Agabi10, KasiaWMDE, Wikidata-bugs, aude, jayvdb, Tobi_WMDE_SW, Mbch331, hashar___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T207988: Update grunt to 1.0.3 for AdvancedSearch and WikibaseQualityConstraints

[gerritbot]

gerritbot added a comment.
Change 470525 merged by jenkins-bot:
[mediawiki/extensions/AdvancedSearch@master] Update npm dev dependencies

https://gerrit.wikimedia.org/r/470525TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: gerritbotCc: Legoktm, Tim_WMDE, gerritbot, gabriel-wmde, Umherirrender, Aklapper, CucyNoiD, Nandana, NebulousIris, Gaboe420, A.S.Kochergin, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, God, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Bsandipan, Lordiis, Lucas_Werkmeister_WMDE, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, LawExplorer, Lea_WMDE, Lewizho99, Maathavan, Agabi10, KasiaWMDE, Wikidata-bugs, aude, jayvdb, Tobi_WMDE_SW, Mbch331, hashar___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T207988: Update grunt to 1.0.3 for AdvancedSearch and WikibaseQualityConstraints

[gabriel-wmde]

gabriel-wmde added a comment.
I don't think this is an acceptable response. It's not just CI, it's also developer's laptops, which are an extremely high value target. While this vulnerability might be pretty minor, it's important to keep the security issues green, so that when an actual high severity vulnerability is reported, we don't miss it by assuming there is always a vulnerability.

You're right. We were already in "OMG, the fundraising campaign is coming, drop everything you're doing"  mode, which is not a good excuse to slack on security, but the reason why we initially decided on postponing the fix.TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: gabriel-wmdeCc: Legoktm, Tim_WMDE, gerritbot, gabriel-wmde, Umherirrender, Aklapper, CucyNoiD, Nandana, NebulousIris, Gaboe420, A.S.Kochergin, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, God, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Bsandipan, Lordiis, Lucas_Werkmeister_WMDE, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, LawExplorer, Lea_WMDE, Lewizho99, Maathavan, Agabi10, KasiaWMDE, Wikidata-bugs, aude, jayvdb, Tobi_WMDE_SW, Mbch331, hashar___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T207988: Update grunt to 1.0.3 for AdvancedSearch and WikibaseQualityConstraints

[Legoktm]

Legoktm added a comment.

In T207988#4703344, @gabriel-wmde wrote:
Thanks for bringing this up! We decided to postpone the fix for AdvancedSearch to next year, since the we use the vulnerable component (grunt) only for running the continous integration checks, where the risk of code injection is quite low.


I don't think this is an acceptable response. It's not just CI, it's also developer's laptops, which are an extremely high value target. While this vulnerability might be pretty minor, it's important to keep the security issues green, so that when an actual high severity vulnerability is reported, we don't miss it by assuming there is always a vulnerability.TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: LegoktmCc: Legoktm, Tim_WMDE, gerritbot, gabriel-wmde, Umherirrender, Aklapper, CucyNoiD, Nandana, NebulousIris, Gaboe420, A.S.Kochergin, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, God, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Bsandipan, Lordiis, Lucas_Werkmeister_WMDE, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, LawExplorer, Lea_WMDE, Lewizho99, Maathavan, Agabi10, KasiaWMDE, Wikidata-bugs, aude, jayvdb, Tobi_WMDE_SW, Mbch331, hashar___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T207988: Update grunt to 1.0.3 for AdvancedSearch and WikibaseQualityConstraints

[gerritbot]

gerritbot added a comment.
Change 470527 had a related patch set uploaded (by Tim Eulitz; owner: Tim Eulitz):
[mediawiki/extensions/WikibaseQualityConstraints@master] Update npm packages and fix minor styling issues

https://gerrit.wikimedia.org/r/470527TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: gerritbotCc: gerritbot, gabriel-wmde, Umherirrender, Aklapper, CucyNoiD, Nandana, NebulousIris, Gaboe420, A.S.Kochergin, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, God, Cpaulf30, Lahi, Gq86, Baloch007, Darkminds3113, Bsandipan, Lordiis, Lucas_Werkmeister_WMDE, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, LawExplorer, Lea_WMDE, Lewizho99, Maathavan, Agabi10, KasiaWMDE, Wikidata-bugs, aude, jayvdb, Tobi_WMDE_SW, Mbch331, hashar___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T207988: Update grunt to 1.0.3 for AdvancedSearch and WikibaseQualityConstraints

[gerritbot]

gerritbot added a comment.
Change 470525 had a related patch set uploaded (by Tim Eulitz; owner: Tim Eulitz):
[mediawiki/extensions/AdvancedSearch@master] Update npm dev dependencies

https://gerrit.wikimedia.org/r/470525TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: gerritbotCc: gerritbot, gabriel-wmde, Umherirrender, Aklapper, Nandana, A.S.Kochergin, God, Lahi, Gq86, Lucas_Werkmeister_WMDE, GoranSMilovanovic, QZanden, LawExplorer, Lea_WMDE, Agabi10, KasiaWMDE, Wikidata-bugs, aude, jayvdb, Tobi_WMDE_SW, Mbch331, hashar___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T207988: Update grunt to 1.0.3 for AdvancedSearch and WikibaseQualityConstraints

[gabriel-wmde]

gabriel-wmde added a comment.
Thanks for bringing this up! We decided to postpone the fix for AdvancedSearch to next year, since the we use the vulnerable component (grunt) only for running the continous integration checks, where the risk of code injection is quite low.TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: gabriel-wmdeCc: gabriel-wmde, Umherirrender, Aklapper, Nandana, A.S.Kochergin, God, Lahi, Gq86, Lucas_Werkmeister_WMDE, GoranSMilovanovic, QZanden, LawExplorer, Lea_WMDE, Agabi10, KasiaWMDE, Wikidata-bugs, aude, jayvdb, Tobi_WMDE_SW, Mbch331, hashar___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs