[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge

Tue, 21 Jul 2020 09:51:16 -0700 

Pablo-WMDE added a comment.


  > **Vulnerable Packages**
  > **Risk: {icon exclamation-triangle color=yellow} medium**
  > [...]
  > **Outdated Packages**
  
  There recurringly are and recently were efforts to get those numbers down, 
maybe a recheck (e.g. after sha 5f1d7d106f47dbe7738efb788144d7f2fe391f39 
<https://phabricator.wikimedia.org/rEWBA5f1d7d106f47dbe7738efb788144d7f2fe391f39>)
 is all it takes to find more acceptable counts (is 0 the success criterion?).
  This is a moving target, however. At WMDE we are in the process of finding a 
structured workflow (for the products' and the developers' sake) which prevents 
those counts climbing again. A push on T228527: Support nested package.json 
files <https://phabricator.wikimedia.org/T228527> from people with an official 
security hat would be of great help to make this happen in (ever more popular) 
monorepos.
  
  > As reported by `retirejs`:
  > (**Risk: {icon exclamation-triangle color=yellow} medium**)
  >
  > /src/node_modules/tinycolor2/demo/jquery-1.9.1.js
  
  I believe this is a false positive. TinyColor (which we depend on via 
@storybook/addon-knobs@5.3.19 > react-color@2.18.1 > tinycolor 1.4.1) does 
contain a copy of jquery 1.9.1 for its own demo 
<https://github.com/bgrins/TinyColor/tree/ab58ca0/demo> page, but it is not 
part of its package, and consequently not loaded in the bridge product.
  
  Thanks for making sure we deliver quality work to our users!

TASK DETAIL
  https://phabricator.wikimedia.org/T249039

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: sbassett, Pablo-WMDE
Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, 
Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, 
Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, 
LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, 
Mbch331, Legoktm

_______________________________________________
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

Reply via email to