Tim_WMDE added a comment.
Yeah, this ticket has nothing left to do, thanks.TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Lucas_Werkmeister_WMDE, Tim_WMDECc: Lucas_Werkmeister_WMDE, Legoktm, Tim_WMDE,
gerritbot added a comment.
Change 470527 merged by jenkins-bot:
[mediawiki/extensions/WikibaseQualityConstraints@master] Update npm deps & fix newly found styling issues
https://gerrit.wikimedia.org/r/470527TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL
gerritbot added a comment.
Change 470525 merged by jenkins-bot:
[mediawiki/extensions/AdvancedSearch@master] Update npm dev dependencies
https://gerrit.wikimedia.org/r/470525TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL
gabriel-wmde added a comment.
I don't think this is an acceptable response. It's not just CI, it's also developer's laptops, which are an extremely high value target. While this vulnerability might be pretty minor, it's important to keep the security issues green, so that when an actual high
Legoktm added a comment.
In T207988#4703344, @gabriel-wmde wrote:
Thanks for bringing this up! We decided to postpone the fix for AdvancedSearch to next year, since the we use the vulnerable component (grunt) only for running the continous integration checks, where the risk of code injection is
gerritbot added a comment.
Change 470527 had a related patch set uploaded (by Tim Eulitz; owner: Tim Eulitz):
[mediawiki/extensions/WikibaseQualityConstraints@master] Update npm packages and fix minor styling issues
https://gerrit.wikimedia.org/r/470527TASK
gerritbot added a comment.
Change 470525 had a related patch set uploaded (by Tim Eulitz; owner: Tim Eulitz):
[mediawiki/extensions/AdvancedSearch@master] Update npm dev dependencies
https://gerrit.wikimedia.org/r/470525TASK DETAILhttps://phabricator.wikimedia.org/T207988EMAIL
gabriel-wmde added a comment.
Thanks for bringing this up! We decided to postpone the fix for AdvancedSearch to next year, since the we use the vulnerable component (grunt) only for running the continous integration checks, where the risk of code injection is quite low.TASK