Are we impacted by the GitLab.com 15.0 breaking changes?
GitLab 15.0 is rolling out to GitLab.com sometime between April 23 – May 22 and includes a number of breaking changes that might affect us.
GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces breaking changes that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.
OAuth changes
-
The OAuth implicit grant authorization flow is being removed, https://about.gitlab.com/blog/2022/04/18/gitlab-releases-15-breaking-changes/#oauth-implicit-grant - gitlab-org/gitlab#288516 (closed)
- Do we use this? Our Passport strategy is https://github.com/fh1ch/passport-gitlab2
- Based on https://www.youtube.com/watch?v=t_4CmFRyKk0, I don't think we use the implicit flow. AFAICT, we use the
authorization_codeflow from the video. - https://oauth.net/2/grant-types/implicit/
- https://docs.gitlab.com/14.10/ee/api/oauth2.html#authorization-code-flow
- https://docs.gitlab.com/14.10/ee/api/oauth2.html#implicit-grant-flow-deprecated
-
OAuth tokens get expiration dates (expire after 2 hours), https://about.gitlab.com/blog/2022/04/18/gitlab-releases-15-breaking-changes/#oauth-tokens-without-expiration - -> Fixes:
- gitlab-org/gitlab#340848 (closed)
- gitlab-org/gitlab#351182 (closed)
- I think this affects us since currently we rely on access tokens working forever after signing in.
- For GitLab, we seem to save the
refreshTokenasidentity.accessTokenSecreteven thoughidentityalso has arefreshTokenfield. Although we currently don't do anything with therefreshToken.- We can fix the code to write to the proper
identity.refreshTokenfield - And then write a migration to fix all of the existing GitLab users.
- We can fix the code to write to the proper
- "To retrieve a new
access_token, use therefresh_tokenparameter. Refresh tokens may be used even after theaccess_tokenitself expires." -- https://docs.gitlab.com/14.10/ee/api/oauth2.html#authorization-code-flow - All of our code that needs a GitLab access token already uses
getGitlabAccessTokenFromUser(user)which is async so we could also add in the necessary logic to refresh the token. But we probably want to addidentity.accessTokenExpiresdate to compare against
CI Changes
-
"We are removing retire.js from Dependency Scanning on May 22, 2022 in GitLab 15.0", https://about.gitlab.com/blog/2022/04/18/gitlab-releases-15-breaking-changes/#retire-js-dependency-scanning-tool - Probably need to remove
.gitlab-ci.yml#L479-481 - -> !2280 (merged)
- Probably need to remove
-
"In GitLab 15.0, GitLab SAST will no longer use the following analyzers: ESLint (JavaScript, TypeScript, React), Gosec (Go), Bandit (Python)", https://about.gitlab.com/blog/2022/04/18/gitlab-releases-15-breaking-changes/#sast-analyzer-consolidation-and-cicd-template-changes - We have the
ESLintone set which probably needs to be removed:.gitlab-ci.yml#L499-501 - -> !2280 (merged)
- We have the
Edited by Eric Eastwood