search

Azure / azure-sdk-tools

Tools repository leveraged by the Azure SDK team.
MIT License
114 stars 180 forks source link

Remove `openapi-github`, inlining remaining required code to `openapi-alps` #8184

Closed konrad-jamrozik closed 4 months ago

konrad-jamrozik commented 6 months ago

https://devdiv.visualstudio.com/DevDiv/_git/openapi-github https://devdiv.visualstudio.com/DevDiv/_git/openapi-alps

Email thread: RE: CVEs in s360:

I analyzed the openapi-github some months ago with the goal of inlining into openapi-alps, but I couldn’t do it without editing openapi-portal. openapi-alps depends on RepoNaturalKey, OwnerScope and GitHubApp.

konrad-jamrozik commented 4 months ago

Removing openapi-alps dependency on openapi-github would be a significant effort.

One of the types imported is GithubApp which effectively depends on the entirety of openapi-github, Even if we would decide to copy-paste over all the contents of openapi-github into openapi-alps, we would run into the major obstacle of mismatched versions with breaking changes:

All projects in openapi-alps depend on "@octokit/rest": "18.0.3" and denote that openapi-github needs 16.43.2:

openapi-alps:

common\config\rush\pnpm-lock.yaml:
     98:   '@octokit/rest':
   1250:       '@octokit/rest': 18.0.3(encoding@0.1.13)
   2855:   /@octokit/rest@16.43.2(@octokit/core@4.2.4)(encoding@0.1.13):
   2879:   /@octokit/rest@18.0.3(encoding@0.1.13):
  12721:       '@octokit/rest': 16.43.2(@octokit/core@4.2.4)(encoding@0.1.13)
  13426:       '@octokit/rest': 16.43.2(@octokit/core@4.2.4)(encoding@0.1.13)
  16893:       '@octokit/rest': 18.0.3(encoding@0.1.13)
  16938:       '@octokit/rest': 18.0.3(encoding@0.1.13)
  17096:       '@octokit/rest': 18.0.3(encoding@0.1.13)
  17216:       '@octokit/rest': 18.0.3(encoding@0.1.13)
  17346:       '@octokit/rest': 18.0.3(encoding@0.1.13)
  17414:       '@octokit/rest': 18.0.3(encoding@0.1.13)
  17473:       '@octokit/rest': 18.0.3(encoding@0.1.13)
  17504:       '@octokit/rest': 18.0.3(encoding@0.1.13)

See also package-lock.json of openapi-github.

Hence to copy the types, we would have to update them to work with 18.0.3. There was massive amount of breaking changes between 16.43.2 and 18.0.3. For example, see the breaking changes list here:

Hence my recommendation here would be to abandon the effort to inline the code. Instead, we should consider a separate effort of "GitHub API usage refresh" where we rewrite all our dependency on GitHub API to use the newest API and practices available. For example, @octokit/rest is now at v21.0.0!

@mikeharder, @weshaggard what are your thoughts on this?

konrad-jamrozik commented 4 months ago

We discussed this: for we will keep the openapi-alps dependency on openapi-github and just deprecated the openapi-github repo.

konrad-jamrozik commented 4 months ago

Pull Request 562193: Deprecate openapi-github

konrad-jamrozik commented 4 months ago

Service Ticket 2112715: Azure SDK Team SpringGrove Security push: Asking for help in deprecating openapi-github and openapi-telemetry repos and associated artifacts