We install node version v16.0.0 which is 1.5y old and has several security updates
Categories
(Firefox Build System :: Toolchains, defect)
Tracking
(firefox-esr102 fixed, firefox105 fixed)
People
(Reporter: julienw, Assigned: standard8)
References
Details
(Keywords: perf-alert)
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr102+
|
Details | Review |
I noticed that we install node v16.0.0, at least on Linux:
$ ~/.mozbuild/node/bin/node --version
v16.0.0
But v16.0.0 is from April 2021 and got several security updates since then. See https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md for the changelog in the v16 branch. Searching for security release I'm counting 7.
|
Reporter | |
Updated•3 years ago
|
|
Assignee | |
Comment 1•3 years ago
|
||
We should probably update all our node versions that we use to the latest available of each branch.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
||
Comment 4•3 years ago
|
||
| bugherder | ||
|
||
Comment 5•3 years ago
|
||
(In reply to Pulsebot from comment #3)
Pushed by mbanner@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/839f7f524344
Update NodeJS to latest versions for the branches.
r=firefox-build-system-reviewers,glandium
== Change summary for alert #35009 (as of Thu, 04 Aug 2022 18:02:26 GMT) ==
Regressions:
| Ratio | Test | Platform | Options | Absolute values (old vs new) |
|---|---|---|---|---|
| 38% | welcome loadtime | linux1804-64-shippable-qr | cold fission webrender | 67.38 -> 92.96 |
| 23% | reddit-billgates-ama.billg-ama fcp | linux1804-64-shippable-qr | cold fission webrender | 151.67 -> 187.25 |
| 23% | reddit-billgates-ama.members fcp | linux1804-64-shippable-qr | cold fission webrender | 151.67 -> 187.25 |
| 21% | welcome fcp | linux1804-64-shippable-qr | cold fission webrender | 108.88 -> 131.25 |
| 20% | welcome fcp | linux1804-64-shippable-qr | cold fission webrender | 108.65 -> 130.42 |
| 20% | welcome loadtime | linux1804-64-shippable-qr | fission warm webrender | 34.25 -> 41.04 |
| 11% | twitter fcp | linux1804-64-shippable-qr | bytecode-cached fission warm webrender | 127.85 -> 141.42 |
| 9% | reddit-billgates-post-2.billg fcp | linux1804-64-shippable-qr | cold fission webrender | 295.08 -> 321.25 |
| 9% | reddit-billgates-post-2.hot fcp | linux1804-64-shippable-qr | cold fission webrender | 295.08 -> 321.25 |
| 9% | reddit-billgates-post-2.top fcp | linux1804-64-shippable-qr | cold fission webrender | 295.08 -> 321.25 |
| 2% | welcome PerceptualSpeedIndex | linux1804-64-shippable-qr | cold fission webrender | 1,388.71 -> 1,417.42 |
Improvements:
| Ratio | Test | Platform | Options | Absolute values (old vs new) |
|---|---|---|---|---|
| 2% | instagram PerceptualSpeedIndex | linux1804-64-shippable-qr | fission warm webrender | 538.12 -> 527.17 |
For up to date results, see: https://treeherder.mozilla.org/perfherder/alerts?id=35009
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
Not sure why I've been NI'ed here. The perf-alert has been closed as wontfix.
Given that this is only an infrastructure upgrade I think that is the right move - I would assume that the node server performance is impacting the speed of the tests and we can't do much about that.
As far as I know the only code generated live by the build system is the devtools code - which would be unlikely to impact these tests. Even if other code is being generated, I would expect the result to be a function of the modules that node runs, rather than the node version itself. Hence updating node shouldn't have an impact on the resultant code.
|
|
||
Comment 7•3 years ago
|
||
I don't know why the perf alert was closed as wontfix.
It seems to be a very high overhead to be ignored, though... I mean, how do we know it's not masking anything those perf tests are trying to measure?
|
|
Assignee | |
Comment 8•3 years ago
|
||
Dave, is there someone familiar with these tests. I am on PTO this week, and the documentation doesn't say enough about how these are measured.
|
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 9•3 years ago
|
||
I agree with the wontfix resolution for those regressions/improvements. Changing the environment/infrastructure our perf tests run in more often than not results in (what we call) changes to the baseline. Changes in variance are more concerning, but I don't see any issues in those metrics, and in a couple cases there are improvements.
|
|
Assignee | |
Comment 11•3 years ago
|
||
|
|
Assignee | |
Comment 12•3 years ago
|
||
Just added patch for ESR. Requested review as it bumps the 10.x series as well. I matched the node versions to the original patch, so we'll want to uplift bug 1792227 as well once (or when) this lands.
|
||
Comment 13•3 years ago
|
||
A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)
|
||
Comment 14•3 years ago
|
||
Tom: what's the equivalent of Update Bot helping us update Node.js as security releases are rolled out?
|
||
Comment 15•3 years ago
|
||
We could use Updatebot for it, we'd need a custom script to update the things shown in this patch, and a way to know when there's a new release we care about. It'd probably be vendoring via tarfiles (since we're using an LTS branch) as described in Bug 1792075
|
|
||
Comment 16•3 years ago
|
||
There is no vendoring going on here.
|
|
||
Comment 17•3 years ago
|
||
Sorry, kind of a leaky abstract in my wording. Right, we're not vendoring anything in tree; I was referring to how Updatebot can know if there's something new to update to, and I think the best method for that would be via tarfile releases rather than looking at git tags.
|
|
Assignee | |
Comment 18•3 years ago
|
||
Comment on attachment 9296311 [details]
Bug 1782523 - Update NodeJS to latest versions for the branches on ESR. r?#firefox-build-system-reviewers
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Security update for a tool that we use on the build system.
- User impact if declined: None
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Build tooling only
|
||
Comment 19•3 years ago
|
||
Comment on attachment 9296311 [details]
Bug 1782523 - Update NodeJS to latest versions for the branches on ESR. r?#firefox-build-system-reviewers
Approved for 102.4esr.
|
|
||
Comment 20•3 years ago
|
||
| bugherder uplift | ||
Description
•