On Tue, 1 Apr 2025 at 18:39, Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2025-04-01 09:43:21 +0200 (+0200), Pierre Riteau wrote: [...]
I submitted a change to replace the minified apexcharts with the latest full version [1]. It needs to be tested because there could be major changes in apexcharts breaking blazar-dashboard. [...]
Longer term, it would be best if we can all work together to find a consistent workflow that avoids OpenStack projects embedding/vendoring random third-party libraries in their Git repositories. Skyline has a similar issue to tackle right now, which was very recently brought to light, and there's been long-running discussions in Horizon about how to get away from the xstatic package model which still has many of the same drawbacks.
Ideally, these dependencies would be sourced at install (or at least build) time from their own upstream release artifacts either securely over the Internet or from locally-supplied copies. The OpenStack community lacks the resources and tooling to track and react to vulnerabilities in our dependencies. What's the plan for blazar-dashboard if there's a security vulnerability in apexcharts? How do we expect to find out that we're shipping an outdated, vulnerable version of it to our users? Do blazar-dashboard releases even document what version of apexcharts they include, and notify users that they're on their own keeping track of when and whether they should apply security fixes for it?
Also see the long-standing TC resolution on Guidelines for Managing Releases of Binary Artifacts which points out many of these risks:
https://governance.openstack.org/tc/resolutions/20170530-binary-artifacts.ht...
-- Jeremy Stanley
Hi Jeremy, Sorry for the delay in responding to your message. I just resumed working on an updated change [1]. You bring up valid points about the long term maintenance of vendored libraries, which were not taken into account within blazar-dashboard when the apexcharts JS library was imported. In the absence of a better mechanism for managing external dependencies, I could suggest that the Blazar project starts monitoring releases of apexcharts and provides timely updates, including on stable branches. It would be feasible since it is only one dependency. However, I discovered that this project switched to a custom license [2] recently, so we are stuck with the last 4.x release under MIT license. We may have to find an open-source replacement for this functionality. How is the Horizon project dealing with the issue of tracking and updating dependencies? It looks like many of the XStatic repositories haven't been updated in several years. Pierre [1] https://review.opendev.org/c/openstack/blazar-dashboard/+/946019 [2] https://github.com/apexcharts/apexcharts.js/blob/main/LICENSE