On 2025-04-01 09:43:21 +0200 (+0200), Pierre Riteau wrote:
[...]
> I submitted a change to replace the minified apexcharts with the
> latest full version [1]. It needs to be tested because there could
> be major changes in apexcharts breaking blazar-dashboard.
[...]
Longer term, it would be best if we can all work together to find a
consistent workflow that avoids OpenStack projects
embedding/vendoring random third-party libraries in their Git
repositories. Skyline has a similar issue to tackle right now, which
was very recently brought to light, and there's been long-running
discussions in Horizon about how to get away from the xstatic
package model which still has many of the same drawbacks.
Ideally, these dependencies would be sourced at install (or at least
build) time from their own upstream release artifacts either
securely over the Internet or from locally-supplied copies. The
OpenStack community lacks the resources and tooling to track and
react to vulnerabilities in our dependencies. What's the plan for
blazar-dashboard if there's a security vulnerability in apexcharts?
How do we expect to find out that we're shipping an outdated,
vulnerable version of it to our users? Do blazar-dashboard releases
even document what version of apexcharts they include, and notify
users that they're on their own keeping track of when and whether
they should apply security fixes for it?
Also see the long-standing TC resolution on Guidelines for Managing
Releases of Binary Artifacts which points out many of these risks:
https://governance.openstack.org/tc/resolutions/20170530-binary-artifacts.html
--
Jeremy Stanley
Hi Jeremy,
Sorry for the delay in responding to your message. I just resumed working on an updated change [1].
You bring up valid points about the long term maintenance of vendored libraries, which were not taken into account within blazar-dashboard when the apexcharts JS library was imported.
In the absence of a better mechanism for managing external dependencies, I could suggest that the Blazar project starts monitoring releases of apexcharts and provides timely updates, including on stable branches. It would be feasible since it is only one dependency.
However, I discovered that this project switched to a custom license [2] recently, so we are stuck with the last 4.x release under MIT license. We may have to find an open-source replacement for this functionality.
How is the Horizon project dealing with the issue of tracking and updating dependencies? It looks like many of the XStatic repositories haven't been updated in several years.
Pierre