The Official Yeti Blog

Updates on Yeti development at Yahoo!

This blog has been retired. Follow Yeti development on the YUI Blog.

Yeti 0.2.5 released

While work to make Yeti more compatible with older browsers continues, we’re releasing a smaller Yeti 0.2.5 today that includes bug fixes:

  • A security fix, detailed below.
  • Fix Bug #76 Run fixture YUI Tests offline; really no longer depend on yui.yahooapis.com at runtime.
  • Fix Bug #74 $yetify JavaScript should not be injected into CSS.
  • Avoid crashing Yeti on certain types of bad requests.

Upgrade now

You can install the latest Yeti with one command:

npm install -g yeti

Security fix

Yeti works with a Client and a Hub. The Client is the instance of Yeti that provides tests. Browsers connect to the the Hub, which can be an instance of Yeti running on a different computer.

Yeti 0.2.0 and later makes it possible to have the Hub and Client operate on separate computers. Many Clients can share the same Hub of browsers. In order for the Hub to serve tests that live on another computer, Yeti uses a bi-directional RPC system that allows for the Hub to request files from the Client.

Test files are more than the HTML files that are passed on the command line, since those files often reference JS and images that live near the files. Yeti 0.1.x addressed this by serving any files to the Hub, as long as they are inside the directory where Yeti’s Hub was started.

Yeti 0.2.0 – 0.2.4 did not check to make sure files requested from a Hub were inside the directory where Yeti’s Client was started. This was fixed in a commit this week. A security risk can exist if:

  • You connect to a Yeti Hub that is running on another computer, or is running with more privledges than the Client on your computer.
  • The Yeti Hub you use was modified to send malicious commands to request files not related to testing.

The risk is minimal, but users of Yeti 0.2.0 – 0.2.4 are advised to upgrade to 0.2.5.

Browser support update

We are hard at work on developing a version of Yeti that works with as many GBS browsers as possible. Since last week, we discovered that the Socket.io project, which Yeti uses to communicate with connected browsers, has stopped triaging bugs affecting certain browsers we wish to support, such as IE 6 and 8. (See: IE6 handshake error, IE 8 disconnect bug.)

We spent last week developing a branch of Yeti that uses the SockJS project instead of Socket.io. Work on this branch is promising, but is not yet ready for release.

No matter what system we use, we intend to get Yeti more stable and reliable on more browsers in releases to come. We’re working on it! Stay tuned.

General documentation: http://yeti.cx/docs/v0.2.5/quick-start/

API documentation: http://yeti.cx/docs/v0.2.5/api/

Detailed API documentation: http://yeti.cx/docs/v0.2.5/api/everything/

CI testing: http://travis-ci.org/yui/yeti

Code coverage: http://yeti.cx/docs/v0.2.5/coverage.html

Report a bug: http://yuilibrary.com/projects/yeti/newticket


Yeti is a product of YUI LibrarySecurity
Copyright © 2013 Yahoo! Inc. BSD licensed.