sbassett added a comment.
In T249039#6362819 <https://phabricator.wikimedia.org/T249039#6362819>, @darthmon_wmde wrote: > heads up: I am accepting the risk and we programmed the deploy to production. Great, thanks. > We have already fixed <https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/618319> some of the dev dependencies - by yesterday there were no high vulnerabilities, only low ones. Ok, great. > You mentioned that we need to commit to a risk plan to review the vulnerable dependencies e.g. in the next 30 days. From talking to the team the issue here is rather a continuous than a milestone, meaning that this is a moving target and we need a process to periodically check and fix the dependencies of our projects (To this aim we could really benefit from https://phabricator.wikimedia.org/T228527) > > With all this in mind, could you please specify the kind of commitment that you expect from me? The expectations the #security-team <https://phabricator.wikimedia.org/tag/security-team/> would have would be: 1. Accepting the risk resulting from this review would mean accepting accountability for any potential issue which might arise from this code being deployed upon Wikimedia hardware. e.g. being fully accountable if, say, a vulnerability from a deployed npm package resulted in a security incident. 2. Regarding the risk plan, what you've described seems reasonable. Given the vast amount of upstream code used for wikidata-bridge and other projects, it's likely infeasible to get to a point any time soon where every vulnerability has been addressed and resolved. Committing to constant vigilance of dependency vulnerabilities and working to remediate those via patches to upstream, upgrading to secure versions or using alternative packages are all acceptable solutions. To help with this, it might make sense to set up automated jobs (outside of publicly-viewable jenkins CI jobs) to run tools like `npm audit`, `retirejs`, `outdated` and `snyk` against the code base, which would then inform developers of current statuses. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm
_______________________________________________ Wikidata-bugs mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
