[14:48:36] <anomie>	 Hmm. Phab is putting a label "Task" on every task on the workboard. That seems a bit redundant.
[14:48:57] * anomie will have to figure out some Greasemonkey script to hide that.
[15:16:06] <Reedy>	 Krinkle: Any idea how to work out what commit hash npm is going to use for and older version of a library?
[15:16:20] <Reedy>	 hogan.js very unhelpfully has no git tags/similar for anything before version 2.0.0
[15:16:30] <Krinkle>	 Reedy: npm doesn't work with a concept of git like composer.
[15:16:46] <Reedy>	 Sure, but to install a version.. It must be attached to something?
[15:16:53] <Krinkle>	 Running npm pubish is nothing short of tar-balling the current working directory and uploading it under package.json#name+version
[15:16:53] <Reedy>	 Or is it just some files uploaded at some point and called that version?
[15:17:04] <Reedy>	 Lovely...
[15:17:21] <Krinkle>	 the idea that it relates to the git repo mentioned is just convention, and often a centerpoint of attacks.
[15:17:42] <Krinkle>	 E.g. compromising a package by publishing an inoccent commit to github and tagging it but uploading something different to npm
[15:18:17] <Krinkle>	 to view the contents, run 'npm install foo@bar' in a safe container, or use https://unpkg.com
[15:18:44] <Krinkle>	 or download the tarball manually using this url format: https://github.com/wikimedia/mediawiki/blob/master/maintenance/resources/foreign-resources.yaml#L72
[15:18:59] <Reedy>	 That was going to be my next question :)
[15:30:58] <_joe_>	 Reedy: are you looking at how to secure bundling semi-random things downloaded from npm in a secure way?
[15:31:04] <Reedy>	 No
[15:31:06] <Reedy>	 God no
[15:31:08] <_joe_>	 ok
[15:31:10] <Reedy>	 :P
[15:31:17] <Reedy>	 I'm trying to work out what I'm supposed to be reviewing for https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/MobileFrontend/+/482745/
[15:31:25] <_joe_>	 I was about to say I'm happy you have 1 year of your life to spare
[15:31:33] <Reedy>	 Which an upgrade of a package introduces 7 dependancies
[15:31:42] <Reedy>	 That may or may not be present in that minified patch
[15:31:48] <Reedy>	 Did you know that minified js is really easy to review?
[15:31:54] <Reedy>	 It's so helpful when you commit it for people to review
[16:10:25] * Nemo_bis submits the above as evidence that minified JS is the "preferred version" of the code and we can do without LibreJS
[16:26:30] <bpirkle>	 Would anyone have time to look at https://gerrit.wikimedia.org/r/c/mediawiki/core/+/454346 (Convert MultiHttpClient to use Guzzle)?  I've gotten a +1, but I'd love to get either a +2, or feedback on anything else that needs to be changed.  This task was started in August, so it'd be nice to finish it off.
[17:15:07] <tgr>	 Reedy: I thought the plan was to use npm to fetch the source but commit it to the patch and use ResourceLoader or webpack to minify it locally?
[17:15:34] <Reedy>	 Pass :)
[17:16:07] <tgr>	 I'd hope Security vetoes everything that does not snapshot the source
[17:16:57] <Reedy>	 Somewhat unfortunately, we've got a history of allowing it... But that of course doesn't make it right
[17:17:31] <Reedy>	 we being the WMF/MW community as a whole, not specifically the security team
[17:18:05] <Reedy>	 I do concur we should probably make some sort of policy for it
[17:18:33] <Reedy>	 If using RL, we're just commiting the usually unminified source, so it's easier to verify
[17:18:50] <Reedy>	 If upstream provide a minified version, and tag it etc... Great, we can hash and verify
[17:18:54] <Reedy>	 When we're self minifying it... All bets are off
[17:25:10] <Reedy>	 https://phabricator.wikimedia.org/T217351 filed as a TODO/followup thing
[20:07:30] <hknust>	 bpirkle:For T214316 is there a replacement method that should be used instead?
[20:07:31] <stashbot>	 T214316: Remove unused method Title::validateFileMoveOperation - https://phabricator.wikimedia.org/T214316
[20:19:40] <bpirkle>	 hknust: I suggest using the wording from the already-deprecated isValidMoveOperation (just above validateFileMoveOperation in Title.php)
[20:22:42] <bpirkle>	 hknust: but also see Reedy's comment on that task from a couple of minutes ago
[20:22:50] <Reedy>	 kill it with fire :)
[20:22:55] <bpirkle>	 Reedy: thanks!
[21:57:15] <dmaza>	 tgr: whenever you get a minute.. I've made some changes to https://gerrit.wikimedia.org/r/c/mediawiki/core/+/491686/
[22:19:49] <Reedy>	 Was someone making a commit with a "SpecialDisabled" or similar special page (like the api one)?
[22:21:05] <Reedy>	 Ah, yes DisabledSpecialPage
[22:37:53] <Reedy>	 tgr: https://meta.wikimedia.org/wiki/Special:TranslationStats :)
[22:38:48] <tgr>	 Reedy: not familiar with that page
[22:39:07] <Reedy>	 It was more the usage of your DisabledSpecialPage in the wild
[22:39:23] <Reedy>	 Though, why are the tabs still there?
[22:39:38] <tgr>	 those come from hooks, not the special page itself, I assume?
[22:39:46] <Reedy>	 Ohh, probably
[22:39:56] <Reedy>	 let's have a look
[22:40:16] <tgr>	 or maybe it's a SpecialPage function that's called before execute() and I didn't know of it
[22:40:54] <tgr>	 dmaza: will try to look at it today
[22:41:24] <MaxSem>	 Is EasyTimeline dying of old age? https://en.wikipedia.org/wiki/Gamma_Ray_(band)#Members
[22:42:31] <Reedy>	 	 * Adds the task-based tabs on Special:Translate and few other special pages.
[22:42:31] <Reedy>	 	 * Hook: SkinTemplateNavigation::SpecialPage
[22:42:49] <hauskatze>	 I'm trying to use Graph/Vega but so far I've failed catastrophically each try
[22:43:11] <hauskatze>	 looks like copy-pasting Vega examples into GraphSandox doesn't work either
[22:43:37] <Reedy>	 tgr: Yeah, minor hook update subscriber needs updating in Translate
[22:55:07] <Reedy>	 https://gerrit.wikimedia.org/r/493622
[23:36:33] <TimStarling>	 MaxSem: it was broken by https://en.wikipedia.org/w/index.php?title=Gamma_Ray_(band)&diff=852521852&oldid=848145767
[23:41:14] <TimStarling>	 hmm, ok, maybe not
[23:41:28] <TimStarling>	 if I make a trivial change (add a space) it re-renders correctly