sbassett added a comment.
!!**Security Review Summary - T249039 <https://phabricator.wikimedia.org/T249039> - 2020-07-06**!! **Last commit reviewed:** 1. Wikibase: `cbfd8bbca3bf816ace5bafdfbd112ddaa44274da` For this review, I focused mainly upon the TypeScript app within Wikibase's `client/data-bridge` directory, with a cursory glance at the config files within `client/includes/DataBridge/` and the generic wikidata item regex component of the IS.php config changes (`((Q[1-9][0-9]*)).*#(P[1-9][0-9]*)`), which all seem fine. I didn't find anything significantly disturbing with the TypeScript app other than it being a substantial amount of complex code with myriad dependencies. Overall, I would currently assign a risk rating of {icon exclamation-triangle color=yellow} **medium** given the dependency issues below. **Vulnerable Packages** 1. No production vulnerabilities found with `npm audit --production`, though a significant number (4,343!) were found within dev dependencies. Please run an `npm audit` to confirm and address as needed. **Risk: {icon exclamation-triangle color=yellow} medium** 2. No production vulnerabilities found with `snyk test`, though a significant number were found (26 issues, 4,391 vulnerable paths) found within dev dependencies. See attached file (F31919092 <https://phabricator.wikimedia.org/F31919092>) output of snyk report. **Risk: {icon exclamation-triangle color=yellow} medium** **Outdated Packages** As reported via `npm outdated`: (no explicit vulnerabilities reported, simply noting for completeness' sake. **Risk: {icon check-circle color=green} low**) | Package | Current | Wanted | Latest | | ---------------------------------------- | -------------- | -------------- | ------- | | @babel/core | 7.8.4 | 7.10.4 | 7.10.4 | | @storybook/addon-a11y | 5.3.14 | 5.3.19 | 5.3.19 | | @storybook/addon-actions | 5.3.14 | 5.3.19 | 5.3.19 | | @storybook/addon-docs | 5.3.14 | 5.3.19 | 5.3.19 | | @storybook/addon-knobs | 5.3.14 | 5.3.19 | 5.3.19 | | @storybook/addon-links | 5.3.14 | 5.3.19 | 5.3.19 | | @storybook/addons | 5.3.14 | 5.3.19 | 5.3.19 | | @storybook/vue | 5.3.14 | 5.3.19 | 5.3.19 | | @types/jest | 24.9.1 | 24.9.1 | 26.0.3 | | @types/jquery | 3.3.32 | 3.5.0 | 3.5.0 | | @types/node | 12.12.27 | 12.12.48 | 14.0.18 | | @types/uuid | 3.4.7 | 3.4.9 | 8.0.0 | | @typescript-eslint/eslint-plugin | 2.19.2 | 2.34.0 | 3.6.0 | | @typescript-eslint/parser | 2.19.2 | 2.34.0 | 3.6.0 | | @vue/cli-plugin-babel | 4.2.2 | 4.4.6 | 4.4.6 | | @vue/cli-plugin-eslint | 4.2.2 | 4.4.6 | 4.4.6 | | @vue/cli-plugin-typescript | 4.4.4 | 4.4.6 | 4.4.6 | | @vue/cli-plugin-unit-jest | 4.2.2 | 4.4.6 | 4.4.6 | | @vue/cli-service | 4.2.2 | 4.4.6 | 4.4.6 | | @vue/eslint-config-typescript | 5.0.1 | 5.0.2 | 5.0.2 | | @vue/test-utils | 1.0.0-beta.29 | 1.0.0-beta.29 | 1.0.3 | | @wdio/cli | 5.22.4 | 5.23.0 | 6.1.24 | | @wdio/local-runner | 5.22.4 | 5.23.0 | 6.1.24 | | @wdio/mocha-framework | 5.18.7 | 5.23.0 | 6.1.19 | | @wdio/spec-reporter | 5.22.4 | 5.23.0 | 6.1.23 | | @wdio/sync | 5.20.1 | 5.23.0 | 6.1.14 | | @wmde/eslint-config-wikimedia-typescript | 0.1.1 | 0.1.1 | 0.2.0 | | @wmde/wikibase-datamodel-types | 0.1.0 | 0.1.0 | 0.2.0 | | babel-core | 7.0.0-bridge.0 | 7.0.0-bridge.0 | 6.26.3 | | babel-eslint | 10.0.3 | 10.1.0 | 10.1.0 | | bootstrap | 4.4.1 | 4.5.0 | 4.5.0 | | core-js | 3.6.4 | 3.6.5 | 3.6.5 | | deep-equal | 2.0.1 | 2.0.3 | 2.0.3 | | eslint | 6.8.0 | 6.8.0 | 7.4.0 | | eslint-config-wikimedia | 0.15.0 | 0.15.3 | 0.16.2 | | eslint-plugin-jest-formatting | 1.2.0 | 1.2.0 | 2.0.0 | | eslint-plugin-vue | 6.1.2 | 6.2.2 | 6.2.2 | | eslint-plugin-wdio | 5.13.2 | 5.13.2 | 6.0.12 | | node-sass | 4.13.1 | 4.14.1 | 4.14.1 | | oojs-ui | 0.39.0 | 0.39.2 | 0.39.2 | | postcss-prefixwrap | 1.13.0 | 1.16.0 | 1.16.0 | | sass-loader | 8.0.2 | 8.0.2 | 9.0.1 | | stylelint | 13.2.0 | 13.6.1 | 13.6.1 | | stylelint-scss | 3.14.2 | 3.18.0 | 3.18.0 | | terser-webpack-plugin | 2.3.5 | 2.3.7 | 3.0.6 | | typescript | 3.9.3 | 3.9.6 | 3.9.6 | | url-search-params-polyfill | 8.0.0 | 8.1.0 | 8.1.0 | | uuid | 8.1.0 | 8.2.0 | 8.2.0 | | vue-eslint-parser | 7.0.0 | 7.1.0 | 7.1.0 | | vue-property-decorator | 8.4.0 | 8.5.1 | 9.0.0 | | vuex | 3.1.3 | 3.5.1 | 3.5.1 | | vuex-smart-module | 0.3.4 | 0.3.4 | 0.4.2 | | As reported by `retirejs`: (**Risk: {icon exclamation-triangle color=yellow} medium**) /src/node_modules/tinycolor2/demo/jquery-1.9.1.js 1. jquery 1.9.1 1. https://nvd.nist.gov/vuln/detail/CVE-2015-9251 2. https://nvd.nist.gov/vuln/detail/CVE-2015-9251 3. https://nvd.nist.gov/vuln/detail/CVE-2019-11358 4. https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm
_______________________________________________ Wikidata-bugs mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
