Fixing npm security issues immediately in MediaWiki projects

LibUp writes a commit message by mostly analyzing the diff, fixes up some changes, and pushes the commit to Gerrit to pass through CI and be merged. If npm is aware of the CVE ID for the security update, that will be mentioned in the commit message. Each package upgrade is tagged, so if you want to e.g. look for all commits that bumped MediaWiki Codesniffer to v26, it’s a quick search away.

By Kunal Mehta

For the past 5ish years, I’ve been working on a project called libraryupgrader (LibUp for short) to semi-automatically upgrade dependency libraries in the 900+ MediaWiki extension and related git repositories. For those that use GitHub, it’s similar to the Dependabot tool, except LibUp is free software.

One cool feature that I want to highlight is how we are able to fix npm security issues in generally under 24 hours across all repositories with little to no human intervention. The first time this feature came into use was to roll out the eslint RCE fix (example commit).

This functionality is all built around the npm audit command that was introduced in npm 6. It has a JSON output mode, which made it straightforward to create an npm vulnerability dashboard for all of the repositories we track.

The magic happens in the npm audit fix command, which automatically updates semver-safe changes. The one thing I’m not super happy about is that we’re basically blindly trusting the response given to us by the npm server, but I’m not aware of any free software alternative.

LibUp then writes a commit message by mostly analyzing the diff, fixes up some changes since we tend to pin dependencies and then pushes the commit to Gerrit to pass through CI and be merged. If npm is aware of the CVE ID for the security update, that will also be mentioned in the commit message (example). In addition, each package upgrade is tagged, so if you want to e.g. look for all commits that bumped MediaWiki Codesniffer to v26, it’s a quick search away.

Lately, LibUp has been occupied fixing the minimist prototype pollution advisory through a bunch of dependencies: gonzales-pe, grunt, mkdirp, and postcss-sass. It’s a rather low priority security issue, but it now requires very little human attention because it has been automated away.

There are some potential risks. Someone could install a backdoor by putting an intentional vulnerability in the same version as fixing a known/published security issue. LibUp would then automatically roll out the new version, making us more vulnerable to the backdoor. This is definitely a risk, but I think our strategy of pulling in new security fixes automatically protects us more than the potential downside of malicious actors abusing the system (also because I wouldn’t absolutely trust any code pulled down from npm in the first place!).

There are some errors we see occasionally, and could use help resolving them: T228173 and T242703 are the two most pressing ones right now.

About this post

This post originally appeared on Kunal Mehta’s blog The Lego Mirror on 5 April 2020

Featured image credit: The Maughan Library round reading room, Colin, FCC BY-SA 4.0