Update known libaries hashes whitelist

RESOLVED FIXED in 6.3.3

Status

addons.mozilla.org Graveyard
Add-on Validation
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: TheOne, Assigned: basta)

Tracking

unspecified
6.3.3

Details

(Whiteboard: [ReviewTeam], URL)

(Reporter)

Description

6 years ago
Please update the libraries hashes whitelist so it recognizes recent jQuery versions. At least v.1.6.4 (min) is not recognized.
Also, it would be really good to know which file each hash belongs to.
(Reporter)

Updated

6 years ago
Whiteboard: [required amo-editors]
(Reporter)

Updated

6 years ago
Target Milestone: --- → 6.3.0
Target Milestone: 6.3.0 → 6.3.1
I think this is just running a script.  Matt: do you have time for this?
Assignee: nobody → mattbasta
(Assignee)

Comment 2

6 years ago
This pull should address all of the jQuery versions prior to 1.7:

https://github.com/mozilla/amo-validator/pull/93

The only thing about this pull is that new Jetpack stuff has been merged into master since it was made, so I'll rebase that stuff out when I have a minute. Jasmine sent me the student worker contract with a start date in a few days, so I can just take care of this once things are all signed and wrapped up.

With regard to version numbers, that's a tough one. Hashes aren't generated by version number, they're generated by URL. The reason is because there are multiple versions of each version (i.e.: unminified, minified, packed, etc.). That would be better off as a separate bug, but I'd be curious as to whether listing the version would be particularly important, since virtually all JS libraries list their version number in the head of the file (even minified ones). Is there a particular scenario where knowing which version of the library being flagged is important?
(Reporter)

Comment 3

6 years ago
Well I guess it's not particularly important, but when a library is not known by the validator, it's completely unknown whether that version has just not yet been added or whether the author modified a version the validator knows about.

So with a quick look at the whitelist file, an editor could easily search for the version number there and see if there is an entry (with a different md5sum) or whether the editor has to go to the libraries website and download and md5sum the original version manually.

That's not a big deal itself, but the validator whitelist has been outdated quite a couple of times and authors often use a very recent version of their library.

If it's too much effort to effort to implement it for this scenario, that's ok. But then, please consider running that whitelist update script on a regular base and not just on request.
Matt: If we remove the files from the repository (just have the code look in a directory for them and fail gracefully if they aren't there) we can add the update script to our deployment script and have it run whenever we push (assuming it runs relatively quickly).  I can help with the deployment stuff.
Target Milestone: 6.3.1 → 6.3.2
Target Milestone: 6.3.2 → 6.3.3
Duplicate of this bug: 704166
(Assignee)

Comment 6

6 years ago
I've updated the pull request with more JS libraries and a few minor tweaks. It should be good to go.

https://github.com/mozilla/amo-validator/pull/93
(Assignee)

Comment 7

6 years ago
Merged:

https://github.com/mozilla/amo-validator/commit/621728dc616c80e9c50caa665b1268d308e5cf4a
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Pushed to zamboni https://github.com/mozilla/zamboni/commit/d20f791d24fdd1abbf5f2c5c95c1c6015b79ec4f
Reclassifying editor bugs and changing to a new whiteboard flag. Spam, spam, spam, spam...
Whiteboard: [required amo-editors] → [ReviewTeam]
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.