Page MenuHomePhorge
Create Task
Maniphest T16047

Handle security issues in Aphlict
Open, NormalPublic
Actions

Description

Follow-up to T16037 - known vulnerability in the ws module took us almost a year to notice and fix.
We should be doing better.

This is special to Aphlict, which is a very small piece of code written in Node, that most people never interact with.

Some options to prevent this from happening again:

  • Rewrite Aphlict in php
  • Have a dedicated Setup Check that will run in each install and just run npm audit
  • Add a "unit test" that will run npm audit (and will be triggered when?)
  • Have a periodic test check for this (and other things), on master every night/week/etc.
  • Have a manual search, every once in a while, for known vulnerabilities on any of our Dependencies.

Related Objects

Event Timeline

avivey created this task.May 1 2025, 18:54
avivey triaged this task as Normal priority.
Herald added subscribers: revi, Cigaryno, Matthew and 2 others. · View Herald TranscriptMay 1 2025, 18:54
avivey updated the task description. (Show Details)May 1 2025, 18:56

Re "implement in php" - AFAICT, there's no built-in support for websockets in php, but I found at least 2 pure-php implementations out there that might work.

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0