Investigate reminding people to update `npm audit`
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Tarrow
	Jan 31 2020, 11:00 AM

Description

We need a solution to keep us on top of required npm package updates.

Status Quo:

LibraryUpgrader2 runs on most Gerrit repositories (but not on nested packages)
- https://gerrit.wikimedia.org/r/plugins/gitiles/labs/libraryupgrader/config/+/refs/heads/master/repositories.json
- https://libraryupgrader2.wmcloud.org/vulns/npm?branch=master
- There are no email notifications for this
Dependabot runs for most of our Github repositories (but not for nested packages?)
There is a daily job run on jenkins for WikibaseLexeme for npm audit
- This was added in https://gerrit.wikimedia.org/r/c/573235
- This is still running https://integration.wikimedia.org/ci/job/wikibase-daily-npm-audit-daily-node10-npmaudit-docker

Speculation around approach:

During ticket polishing we discussed the fact that a calendar event could be enough? https://en.wikipedia.org/wiki/Patch_Tuesday
Automation of simply running npm audit could also probably be achieved with jenkins and github actions with email notifications

In T244001#6884044, @wiese wrote:

FWIW lerna-audit now (v1.3.1) does not show the problems anymore which we encountered earlier (e.g.) when using it to tend to monorepos.

Acceptance criteria ⛺✨ :

Know all of the places that we have package.json files that need to be audited (and their current state in temrs of audit being run)

Details

Subject	Repo	Branch	Lines +/-
Dependabot -> Gerrit, Github Action	mediawiki/extensions/WikibaseManifest	master	+70 -0
TR: Add as dev dependency of Wikibase	mediawiki/extensions/Wikibase	master	+25 K -0
Update wikimedia-stylint-config	mediawiki/extensions/Wikibase	master	+702 -1 K
TR: Update dependencies to pick up security fixes	mediawiki/extensions/Wikibase	master	+2 K -1 K
bridge: Update dependencies to pick up security fixes	mediawiki/extensions/Wikibase	master	+1 K -1 K
Add daily job to run npm audit on Wikibase	integration/config	master	+37 -0

Customize query in gerrit

Related Objects

Mentioned In: rEWBN2bffb79693c3: Dependabot -> Gerrit, Github Action
T283333: Add dependabot change mirroring to Wikidata / Wikibase gerrit repositories
Mentioned Here: P14784 (An Untitled Masterwork)
T228527: Support nested package.json files

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Lerna looks interesting but as far as I can see we'd need to commit to it for all packages in our "monorepo" (and it's really not clear to me how that would work with submodules like termbox).

Moving to camp as we closed the hike!

Restricted Application added a project: Wikidata. · View Herald TranscriptFeb 17 2020, 10:43 AM

Tarrow moved this task from To Do (prioritised from top to bottom) to Doing on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.Feb 17 2020, 10:43 AM

Maintenance_bot moved this task from incoming to in progress on the Wikidata board.Feb 17 2020, 11:15 AM

Change 572828 had a related patch set uploaded (by Tarrow; owner: Tarrow):
[mediawiki/extensions/Wikibase@master] TR: Add as dev dependency of Wikibase

https://gerrit.wikimedia.org/r/572828

gerritbot added a project: Patch-For-Review.Feb 18 2020, 10:12 AM

Tarrow updated the task description. (Show Details)Feb 19 2020, 9:52 AM

Change 573235 had a related patch set uploaded (by Tarrow; owner: Tarrow):
[integration/config@master] Add daily job to run npm audit on Wikibase

https://gerrit.wikimedia.org/r/573235

Tarrow moved this task from Doing to Peer Review on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.Feb 19 2020, 10:06 AM

Addshore triaged this task as Medium priority.Feb 19 2020, 10:21 AM

Addshore moved this task from Peer Review to Stalled/Waiting on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.

Addshore claimed this task.Mar 6 2020, 2:05 PM

Addshore moved this task from Stalled/Waiting to Doing on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.

Restricted Application added a project: User-Addshore. · View Herald TranscriptMar 6 2020, 2:05 PM

Assigning to myself to make the CI change happen!

Change 573235 merged by jenkins-bot:
[integration/config@master] Add daily job to run npm audit on Wikibase

https://gerrit.wikimedia.org/r/573235

Job merged and running.

See https://integration.wikimedia.org/ci/job/wikibase-daily-npm-audit-daily-node10-npmaudit-docker/7/console

Currently email notifications are turned off pending @Tarrow review of this and getting it green :)

Additional merged gerrit config patches:

Addshore reassigned this task from Addshore to Tarrow.Mar 25 2020, 10:18 AM

Addshore subscribed.

Addshore moved this task from Unsorted 💣 to Back Burner 🏛️ on the User-Addshore board.Apr 1 2020, 9:44 AM

WMDE-leszek removed Tarrow as the assignee of this task.Apr 22 2020, 10:02 AM

WMDE-leszek moved this task from Doing to To Do (prioritised from top to bottom) on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.

The most recent run says these two need updating:

# Run  npm install --save-dev [email protected]  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-config-wikimedia [dev]                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-config-wikimedia > stylelint > meow > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1500                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update yargs --depth 2  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @wdio/cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @wdio/cli > yargs > yargs-parser                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1500                      │
└───────────────┴──────────────────────────────────────────────────────────────┘

Change 602169 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/extensions/Wikibase@master] bridge: Update dependencies to pick up security fixes

https://gerrit.wikimedia.org/r/602169

Change 602175 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/extensions/Wikibase@master] TR: Update dependencies to pick up security fixes

https://gerrit.wikimedia.org/r/602175

@Addshore Maybe I'm missing something obvious but looking at https://gerrit.wikimedia.org/r/c/integration/config/+/573235/3/jjb/job-templates.yaml it does only checks the main wikibase package.json and not the important ones like bridge, TR, termbox (honestly, running npm audit on these submodules exploded majestically)

Is that intended?

Change 602177 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/extensions/Wikibase@master] Update wikimedia-stylint-config

https://gerrit.wikimedia.org/r/602177

• Pablo-WMDE updated the task description. (Show Details)Jun 4 2020, 11:15 AM

• Pablo-WMDE subscribed.

I see there’s already a home-brewed solution to this problem but nevertheless I'd like to leave something here:
https://dependabot.com/ - this is a bot that regularly checks for updates in a repo's dependencies. If any are found it updates them and creates a pull request. It works for various languages.
This is how it looks (on a private project of mine) - https://github.com/tzhelyazkova/schema-form-prototype/pull/3
It should be possible to be configured to work with gerrit, here's the core lib - https://github.com/dependabot/dependabot-script

In T244001#6201253, @Tonina_Zhelyazkova_WMDE wrote:

I see there’s already a home-brewed solution to this problem but nevertheless I'd like to leave something here:

Maybe I'm missing something obvious, but that supposed to work in Github only and the ones here are in gerrit (can we run dependabot in gerrit? I'd be really surprised).

Change 602169 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] bridge: Update dependencies to pick up security fixes

https://gerrit.wikimedia.org/r/602169

Maybe I'm missing something obvious, but that supposed to work in Github only and the ones here are in gerrit (can we run dependabot in gerrit? I'd be really surprised).

It is now native to GitHub, but I cannot think of a reason this bot cannot work with gerrit.
The last link in my message describes how it works in more detail, and it mentions how to set the bot up with GitLab.

Again, I just wanted to let y'all know a solution already exists, and it does more than what our thing does. So we might want to weigh in the pros and cons of both.
I did not spend a lot of time researching dependabot, so I don't know how to integrate it with gerrit.

For all I care this could be a Beer and Cake project :)

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.36; 2020-06-09).Jun 8 2020, 12:00 PM

So, there is a bot for gerrit that does various upgrades for extensions etc.
And this now works for Wikibase https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/605191
It also reports vulnerable packages to https://libraryupgrader2.wmflabs.org/vulns/npm

Having this work on multiple package.json files in a single repo is T228527: Support nested package.json files

darthmon_wmde edited projects, added Wikidata-Campsite; removed Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)).Jul 20 2020, 11:01 AM

darthmon_wmde moved this task from Incoming to Prioritized Wikidata Tech Backlog (prioritised from top to bottom) on the Wikidata-Campsite board.Aug 4 2020, 12:17 PM

• Pablo-WMDE added a project: User-Pablo-WMDE.Nov 25 2020, 1:35 PM

• Pablo-WMDE moved this task from Incoming to Short term on the User-Pablo-WMDE board.

Potentially will be solved magically by T228527

WMDE-leszek moved this task from Prioritized Wikidata Tech Backlog (prioritised from top to bottom) to Needs Tech Work on the Wikidata-Campsite board.Dec 1 2020, 2:48 PM

Addshore added a project: [DEPRECATED] wdwb-tech.Feb 25 2021, 10:37 AM

Addshore moved this task from Needs Tech Work to Prioritized Wikidata Tech Backlog (prioritised from top to bottom) on the Wikidata-Campsite board.Mar 2 2021, 12:00 PM

Addshore changed the task status from Stalled to Open.Mar 2 2021, 1:36 PM

Addshore updated the task description. (Show Details)

We might skip this in story time, as the phrasing of the description now sounds like we just need to make a decision as a team and then write a ticket for doing it (or make a cal event)

If the approach boils down to "Patch Tuesday", I'd assign this to management. We've had taken a first stab on introducing this as a "team activity" in the late 2020. Initial implementation failed due to the gallore of other "special" things happening in Deecember, but kickstarting it again would be easy and fairly non controversial.
If there is no technical/code work involved, I would not see it as a campsite task no more.

If there is no technical/code work involved, I would not see it as a campsite task no more.

I think if at estimation the technical solution is small it may be worth it (for more promptly noticing these things).
I think the manual solution would need to be facilitated with a list (such as the one we discussed in a retro today).
@WMDE-leszek I was going to propose asking the wider team to see if we as a whole would be happy with just an email reminder to do it.

In terms of reducing developer toil I think more time would likely be saved for implementing the technical solution rather than having someone manually run npm audit in 20+ places or so ever week or so

Oh, I missed the possible alternative approach, apologies (got too excited this is talking about the "team day" only as the comment mentioned a calendar event)

As I will not be able to join the Planning/Story time, my input to the discussion here: If the "implementing the technical solution" is preferred what is not yet defined is what to do in cases where trivial automated fix are not sufficient (basically the essential reason to actually have really people look into those deps)

In terms of the technical solution, this would only be to serve us a notification, not to do the actual fix.
So upon notification then someone would need to go look at the result of the audit and determine what libraries need updating etc.

what is not yet defined is what to do in cases where trivial automated fix are not sufficient

Thus this bit would be done on a case by case basis.

The jenkins job for the root of wikibase has actually been running for over a year now!
https://integration.wikimedia.org/ci/job/wikibase-daily-npm-audit-daily-node10-npmaudit-docker
I actually can't see that it has failed all year (probably because library upgrader also runs on the root of the repo updating the easy things that can be)

FWIW lerna-audit now (v1.3.1) does not show the problems anymore which we encountered earlier (e.g.) when using it to tend to monorepos.

Addshore moved this task from Inbox to legacy-backlog on the [DEPRECATED] wdwb-tech board.Mar 5 2021, 11:49 AM

Addshore edited projects, added [DEPRECATED] wdwb-tech (legacy-backlog); removed [DEPRECATED] wdwb-tech.

Addshore updated the task description. (Show Details)Mar 9 2021, 11:00 PM

Addshore updated the task description. (Show Details)Mar 11 2021, 9:48 AM

noarave updated the task description. (Show Details)Mar 11 2021, 11:41 AM

noarave set the point value for this task to 3.Mar 11 2021, 11:45 AM

noarave moved this task from Prioritized Wikidata Tech Backlog (prioritised from top to bottom) to Wikidata-Campsite-Iteration-∞ (On Hold) on the Wikidata-Campsite board.

noarave edited projects, added Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)); removed Wikidata-Campsite.

noarave updated the task description. (Show Details)Mar 11 2021, 12:05 PM

noarave removed the point value for this task.

This was picked up on campsite for now with the AC of:

Acceptance criteria ⛺✨ :
Know all of the places that we have package.json files that need to be audited (and their current state in temrs of audit being run)

A dump of our repos to consider can be found at https://phabricator.wikimedia.org/P14784

Jakob_WMDE claimed this task.Mar 15 2021, 1:53 PM

Jakob_WMDE moved this task from To Do (prioritised from top to bottom) to Doing on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.

Addshore moved this task from Incoming to Active on the [DEPRECATED] wdwb-tech (legacy-backlog) board.Mar 16 2021, 10:17 AM

I went through the list provided in T244001#6904372 and for each of them checked whether they contained one or more package.json files and whether the dependencies in that file are automatically audited. For the Github ones I only checked whether Dependabot is enabled. (Not sure if there is a way to have it enabled but not do anything useful.) In one case (wikit) I know that it's enabled but not auditing nested packages and marked that in the spreadsheet. For the gerrit ones I checked https://gerrit.wikimedia.org/r/plugins/gitiles/labs/libraryupgrader/config/+/refs/heads/master/repositories.json which contained very few of the repositories. I'm not sure whether I'm missing something there. https://libraryupgrader2.wmcloud.org/vulns/npm?branch=master contains some repositories which aren't the the aforementioned repositories.json config.

Spreadsheet: https://docs.google.com/spreadsheets/d/1ZAo5o6aTyfSRuMoQWjwoXeWTk-m61Py8_k46VZw_5yM/edit

• Tonina_Zhelyazkova_WMDE moved this task from Peer Review to Test (Verification) on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.Mar 17 2021, 2:15 PM

Addshore moved this task from legacy-backlog to Active on the [DEPRECATED] wdwb-tech board.Mar 18 2021, 9:32 AM

Addshore edited projects, added [DEPRECATED] wdwb-tech; removed [DEPRECATED] wdwb-tech (legacy-backlog).

Addshore moved this task from Back Burner 🏛️ to Active 🚁 on the User-Addshore board.Apr 15 2021, 2:30 PM

Addshore claimed this task.Apr 20 2021, 12:35 PM

Jakob_WMDE awarded a token.Apr 20 2021, 12:37 PM

Change 691265 had a related patch set uploaded (by Addshore; author: Addshore):

[mediawiki/extensions/WikibaseManifest@master] Dependabot -> Gerrit, Github Action

https://gerrit.wikimedia.org/r/691265

I looked once again at the draft attempt at creating an action for this (was https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/626687)
It is now reimagined in the change above which has been tested.

My bot account (Addbot) is currently used.
We can trial this on the WikibaseManifest extension, see how it goes, and maybe roll this out more later.

I should also look at making this easily reusable and maintainable.
https://docs.github.com/en/actions/creating-actions/creating-a-composite-run-steps-action

Investigation is done, state is known, and a potential next step has been explored and will be followed up in another ticket (that I will backlink)

Maintenance_bot moved this task from Test (Verification) to Done on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.May 19 2021, 12:15 PM

Addshore mentioned this in T283333: Add dependabot change mirroring to Wikidata / Wikibase gerrit repositories.May 21 2021, 9:51 AM

Change 602175 abandoned by Ladsgroup:

[mediawiki/extensions/Wikibase@master] TR: Update dependencies to pick up security fixes

Reason:

Already done.

https://gerrit.wikimedia.org/r/602175

Change 602177 abandoned by Ladsgroup:

[mediawiki/extensions/Wikibase@master] Update wikimedia-stylint-config

Reason:

Already done.

https://gerrit.wikimedia.org/r/602177

Change 691265 merged by jenkins-bot:

[mediawiki/extensions/WikibaseManifest@master] Dependabot -> Gerrit, Github Action

https://gerrit.wikimedia.org/r/691265

Addshore mentioned this in rEWBN2bffb79693c3: Dependabot -> Gerrit, Github Action.Jun 26 2021, 8:40 AM

Change 572828 abandoned by Tarrow:

[mediawiki/extensions/Wikibase@master] TR: Add as dev dependency of Wikibase

Reason:

https://gerrit.wikimedia.org/r/572828

Investigate reminding people to update `npm audit`Closed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Investigate reminding people to update `npm audit`
Closed, ResolvedPublic
Actions