-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: update amaro to 0.0.5 #54102
deps: update amaro to 0.0.5 #54102
Conversation
Review requested:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This changed the wasm bundle
How to verify it?
We updated the swc version to 1.7.2 |
Are both the update and the build process expected to be deterministic and produce the same wasm binary? |
I'm not sure what you mean, the wasm is produced manually (by me running the build-wasm script) and once during the swc update in amaro -> PR nodejs/amaro@4d8cb7b |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #54102 +/- ##
==========================================
- Coverage 87.07% 87.07% -0.01%
==========================================
Files 643 643
Lines 181583 181583
Branches 34886 34889 +3
==========================================
- Hits 158114 158110 -4
- Misses 16751 16754 +3
- Partials 6718 6719 +1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm unconvinced about the build process security
Will take a close look today
Please don't land yet
Thanks!! |
@RafaelGSS I'd like to include this in the next 22 release because it updates swc to 1.7.2 and fixed a bunch of bugs in the transpiler |
@ChALkeR I agree that we should improve the build process related to the WASM part. I had talked to @marco-ippolito and that is something on his list. Ideally we'll get to the point were we have an automated updater, and that updater will build the WASM from the source under the deps repo. @marco-ippolito correct me if I have anything about the end goal. |
its correct, related to nodejs/amaro#17 |
@ChALkeR I'd wait a few more hours but imho its important to land it in v22.6.0. we can discuss more about the security improvements in the related issue |
|
We are talking about an impl that by design can produce unrestricted changes to js code before executing that code with host privileges on all setups that will definitely want to test out this new feature in the release And we have no way to verify what changes it does right now except for at least attempting to verify the build process / reproduce it I'm... paranoid a bit (also re: @mhdawson ^ ) |
These changes (and the whole diff at the generated wasm code) are produced by just
|
What additionally bugs me is that upon closer look, the implementation in amaro (and the one included in Node) is in fact not a mere type stripper, contrary to the optics around it in #53725 It can do code generation and insert additional code directly before it's execution, with no changes to Node.js |
94.32%
I trust @marco-ippolito in terms of the security aspects you are concerned about. Again feel free to open a PR to try to resolve your concerns alternatively a PR to remove amaro. I don't see how blocking this PR is helping. If you are concerned about this PR then you should be concerned with current master as well. |
@ChALkeR it's unclear if you are actually blocking or not. Can you please add a "request changes" review if you are. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Formally blocking for now, hope to resolve this today
For clarity: I'm excited about this feature and the hard work @marco-ippolito has done to build this
I just want to reduce the risks we have before this gets to users
Thanks @ronag for suggestion to actually press the button, forgot about that
Thanks! At this point I usually tell that "betting on your beliefs" / or making them explicit with assigning probabilities is a good epistemic practice! This PR did not just change the wasm, it also changed the bundle format, and it now uses global I'm not confident that it wasn't possible earilier, but the changes are definitely there: the specific code example from that comment doesn't trigger this behavior on main and triggers it on this PR.
|
@marco-ippolito Are @ChALkeR concerns relevant event if the |
@ronag no, this still has to be explicitly enabled by the user afaik (not entirely confident, will recheck!) -- just a lot of users will do that soon once this releases |
the previous amaro version was using an swc nightly build specific released for us by @kdy1 (maintainer of swc). @ChALkeR I'm really trying to address your concern, what can I do to make this land? |
I am also seeing it. What additionally concerns me is that I'm seeing it even if I modify (or even That's what I meant by "something is strange" in #54102 (comment) (sorry needed more time to sleep & confirm) The build process doesn't seem like it's using the code in the repo And produces the same wasm each time despite the modifications or code removal! I'm still unsure if that's cache or if it gets that over network, investigating This could have also made updates not updates and could be the cause behild #54102 (comment) perhaps (not sure yet) |
@marco-ippolito I hope we can get this in today, still investigating what's happening with the build process |
sure |
Status update: atm we don't know the dep tree that was built into the wasm, but we know that it did not, in fact, come from the sources present in the /~https://github.com/nodejs/amaro repo Still investigating Ref: nodejs/amaro#23 |
CI was already green https://ci.nodejs.org/job/node-test-pull-request/60722/ it has been restarted by mistake |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
I think this can land based on a few principles:
- we trust Marco to not be a bad actor. He is a TSC member, he works for a OpenJS Foundation member company, and he worked for NearForm in the the past. I hope any of those two companies did comprehensive background checks. We are not set up to defend against state-actors schemes, as we want to encourage people to contribute to the project.
- This is not "active" by default, therefore the risk is extremely limited.
I think 100% of @ChALkeR concerns are valid and must be addressed, I don't think they are needed before landing this PR.
@mcollina i don't think @marco-ippolito is a bad actor What I fear most is supply chain attacks (e.g. through swc deps tree) executing code on end user setups The original PR vas reviewed and landed on an assumption that it ia built from sources present in the repo That does not seem to be true We currently don't know which sources it is built from We do have a way forward to figure things out in a timely manner though |
I mean we know the SWC sources that are being used, but some crates have been downloaded by cargo at build time. |
Has that been confirmed to be the source? Which urls were used? |
Yes I checked and that is the way cargo build works. Some crates are downloaded at build time. (that also applies to the original PR), issue is the lack of a lock file |
Will recheck shortly today |
Then we can agree that this PR is safe to land.
I concur with this being something we must address. However it's something important to fix long term, as no user code pass through this without them knowing or seeing an experimental warning. |
it seems to be a machine failure on windows on the ci that has been rerun by mistake, but this CI is green for commit hash a1fe347 which is the right one |
Closing as we will release a new version |
This is an automated update of amaro to 0.0.5.