// Update third-party media libraries (libvpx, libdav1d, libaom, libopus, libcubeb, etc.) in the Firefox media/ directory. Use when updating codecs, decoders, or vendored media packages.
| name | update-media-lib |
| description | Update third-party media libraries (libvpx, libdav1d, libaom, libopus, libcubeb, etc.) in the Firefox media/ directory. Use when updating codecs, decoders, or vendored media packages. |
| context | fork |
This skill helps update vendored third-party media libraries in Firefox. Each library has its own update process documented in its README and moz.yaml files.
| Library | Path | Source Location | Update Method |
|---|---|---|---|
| libvpx | media/libvpx | media/libvpx/libvpx/ | Two-step with patches |
| libaom | media/libaom | third_party/aom/ | Two-step with patches |
| libsoundtouch | media/libsoundtouch | media/libsoundtouch/ | Two-step with patches |
| libspeex_resampler | media/libspeex_resampler | media/libspeex_resampler/ | Two-step with patches |
| highway | media/highway | third_party/highway/ | Two-step with patches |
| libcubeb | media/libcubeb | media/libcubeb/ | Two-step with patches |
| libpng | media/libpng | media/libpng/ | Two-step with patches |
| libogg | media/libogg | media/libogg/ | Two-step with patches |
| libyuv | media/libyuv | media/libyuv/libyuv/ | Two-step with patches |
| libdav1d | media/libdav1d | third_party/dav1d/ | Simple vendor |
| libvorbis | media/libvorbis | media/libvorbis/ | Simple vendor (file renames) |
| libwebp | media/libwebp | media/libwebp/ | Simple vendor |
| libjxl | media/libjxl | third_party/jpeg-xl/ | Simple vendor |
| libnestegg | media/libnestegg | media/libnestegg/ | Simple vendor |
| libopus | media/libopus | media/libopus/ | Script-based (update.sh) |
| Rust crates (git) | (Cargo.toml) | third_party/rust/* | Git crate (update rev + cargo update + mach vendor rust) |
| Rust crates (crates.io) | (Cargo.toml) | third_party/rust/* | Crates.io (update version + cargo update + mach vendor rust) |
| libjpeg | media/libjpeg | media/libjpeg/ | Script-based (update-libjpeg.sh) |
| Library | Path | Reason | Update Method |
|---|---|---|---|
| ffvpx | media/ffvpx | Requires platform-specific config regeneration | Manual rsync + config generation |
| libmkv | media/libmkv | No vendoring section, upstream abandoned | Cannot update |
If you have local changes to a Rust crate that you want to test before they're merged upstream, use /vendor-local instead. This skill (/update-media-lib) is for pulling the latest upstream release from remote repositories.
IMPORTANT: Before starting any work, determine what kind of update the user needs. If the user's request clearly indicates one type (e.g., they provide a commit URL to cherry-pick, or say "update to latest"), skip the question and proceed directly. Otherwise, use AskUserQuestion:
"What type of update do you need?"
- Full library update - Update the vendored library to a new upstream version
- Cherry-pick a specific commit - Apply a single upstream commit to the current vendored source
If the user provides a URL to a specific commit or mentions "cherry-pick", go directly to the Cherry-pick Process section. If the user asks to update to a version/tag or to latest, go to the Full Update Process section.
Cherry-picking applies a single upstream commit directly to the vendored source without running mach vendor. This is useful for backporting security fixes or targeted bug fixes.
media/<lib>/moz.yaml for the current vendored revision and upstream URL?format=TEXT for base64-encoded diffs, or from GitHub)media/<lib>/libvpx/path/to/file.c)./mach build to verifyCommit format for cherry-picks: If bug number provided:
Bug XXXXXX - Cherry-pick upstream <library> commit <short-hash>. <commit-subject>If no bug number:
Cherry-pick upstream <library> commit <short-hash>. <commit-subject>Verifying compatibility across branches: When the user asks whether a cherry-pick applies cleanly on a specific Firefox release (e.g., Firefox 147):
git log --oneline --before="<date>" -1 -- media/<lib>/moz.yamlgit show <commit>:media/<lib>/path/to/file.cmedia/<lib>/README_MOZILLA or README.md for library-specific instructionsmedia/<lib>/moz.yaml for current version and upstream URLLibraries with local patches use a two-step process:
# Step 1: Update the source (without patches)
./mach vendor media/<lib>/moz.yaml --patch-mode=none
# Step 2: Apply local patches
./mach vendor media/<lib>/moz.yaml --patch-mode=only --ignore-modified
Two-step libraries: libvpx, libaom, libsoundtouch, libspeex_resampler, highway, libcubeb, libpng, libogg, libyuv
IMPORTANT - Commit Workflow: For two-step libraries, ALWAYS ask the user whether they want:
IMPORTANT - Bugzilla Bug Number: ALWAYS ask the user if they have a Bugzilla bug number for this update. This should be asked alongside the commit preference question using AskUserQuestion.
If user provides a bug number, format commit messages as:
Bug XXXXXX - Update <library> to <version>Bug XXXXXX - Apply local patches to <library>If no bug number is provided, use the standard format without the "Bug XXXXXX - " prefix.
Use AskUserQuestion to get both the commit preference and optional bug number before proceeding.
Libraries without patches or with auto-applied patches:
# Update to latest
./mach vendor media/<lib>/moz.yaml
# Or update to specific version/commit
./mach vendor media/<lib>/moz.yaml -r <tag-or-commit>
# Or update from a fork
./mach vendor media/<lib>/moz.yaml --repo <repository-url> -r <commit>
Simple vendor libraries: libdav1d, libvorbis, libwebp, libjxl, libnestegg
Commit format for simple vendor: Ask for optional Bugzilla bug number. If provided:
Bug XXXXXX - Update <library> to <version>If no bug number:
Update <library> to <version>libopus uses a custom update script integrated with mach vendor:
./mach vendor media/libopus/moz.yaml
The update.sh script is automatically invoked during vendoring.
libjpeg uses a custom update script that requires cloning the upstream repository first.
Known issue with patch step:
The script runs patch -p0 from media/libjpeg/, but the patch file (mozilla.diff) contains paths like a/media/libjpeg/jmorecfg.h. With -p0, patch looks for a/media/libjpeg/jmorecfg.h relative to current directory, which doesn't exist. This is documented in MOZCHANGES: "fix up any rejects from applying the Mozilla specific patches".
Workaround: After the script fails at the patch step, apply manually with -p1 from Firefox root (strips the a/ prefix).
Update process:
Clone libjpeg-turbo to a temporary directory:
git clone https://github.com/libjpeg-turbo/libjpeg-turbo.git /tmp/libjpeg-turbo
Run the update script (patch step will fail - this is expected per MOZCHANGES):
./media/update-libjpeg.sh /tmp/libjpeg-turbo [tag]
# Example: ./media/update-libjpeg.sh /tmp/libjpeg-turbo 2.1.5.1
When prompted about patch failure, skip (press Enter or 'y')
Apply the patch manually from the Firefox root directory:
patch -p1 -i media/libjpeg/mozilla.diff
Clean up temporary clone:
rm -rf /tmp/libjpeg-turbo
Version compatibility:
src/ subdirectory) - may require additional workCommit format: Ask for optional Bugzilla bug number. If provided:
Bug XXXXXX - Update libjpeg-turbo to <version>If no bug number:
Update libjpeg-turbo to <version>Rust crates are defined in /toolkit/library/rust/shared/Cargo.toml and vendored into /third_party/rust/. There are two types:
Crates with a git URL and rev attribute pointing to a specific commit.
Examples:
mp4parse_capi - MP4 parser (https://github.com/mozilla/mp4parse-rust)cubeb-coreaudio - macOS audio backend (https://github.com/mozilla/cubeb-coreaudio-rs, default branch: trailblazer)cubeb-pulse - PulseAudio backend (https://github.com/mozilla/cubeb-pulse-rs)audioipc2-client / audioipc2-server - Audio IPC (https://github.com/mozilla/audioipc)Update process:
Find the current revision in /toolkit/library/rust/shared/Cargo.toml:
<crate-name> = { git = "https://github.com/...", rev = "<current-rev>", ... }
Get the new revision (commit hash or tag) from upstream repository
Update the rev attribute in Cargo.toml to the new revision
Update Cargo.lock to reflect the new revision:
cargo update -p <crate-name>
Run the vendor command:
./mach vendor rust
# Use --force if needed for large files
./mach vendor rust --force
Verify expected changes in /third_party/rust/<crate-name>*
Run cargo vet to check for missing audits:
./mach cargo vet suggest 2>&1 | head -20
Add required audits if any crates need certification (see crates.io section below for examples)
Include supply-chain/audits.toml in the commit if audits were added
Commit format: Ask for optional Bugzilla bug number. If provided:
Bug XXXXXX - Update <crate-name> to <revision>If no bug number:
Update <crate-name> to <revision>Crates with a version attribute, pulled from crates.io.
Examples:
cubeb-sys - Cubeb native bindings (bundles libcubeb C code)Update process:
Find the current version in /toolkit/library/rust/shared/Cargo.toml:
<crate-name> = { version = "<current-version>", ... }
Check available versions on crates.io:
cargo search <crate-name> --limit 1
Ask the user what version they want to update to. Present the current version, latest available version, and ask for their preferred target version.
Update the version attribute in Cargo.toml to the chosen version
Update Cargo.lock to reflect the new version:
cargo update -p <crate-name>
Run the vendor command:
./mach vendor rust
# Use --force if needed for large files
./mach vendor rust --force
Verify expected changes in /third_party/rust/<crate-name>*
Run cargo vet to check for missing audits:
./mach cargo vet suggest 2>&1 | head -20
Add required audits for each crate that needs certification:
./mach cargo vet certify <crate-name> <old-version> <new-version> --criteria safe-to-deploy --accept-all
For example, when updating cubeb crates from 0.30.1 to 0.32.0:
./mach cargo vet certify cubeb 0.30.1 0.32.0 --criteria safe-to-deploy --accept-all
./mach cargo vet certify cubeb-backend 0.30.1 0.32.0 --criteria safe-to-deploy --accept-all
./mach cargo vet certify cubeb-core 0.30.1 0.32.0 --criteria safe-to-deploy --accept-all
./mach cargo vet certify cubeb-sys 0.30.1 0.32.0 --criteria safe-to-deploy --accept-all
Include supply-chain/audits.toml in the commit
Commit format: Ask for optional Bugzilla bug number. If provided:
Bug XXXXXX - Update <crate-name> to <version>If no bug number:
Update <crate-name> to <version>generate_sources_mozbuild.sh requires python3-venv system packagepython3-venv before updating: apt install python3-venvmoz.build and asm/moz.build for file changes%if ARCH_X86_64 may need conditional handlingmedia/ffvpx/README_MOZILLA for detailed instructionsFor each library:
media/<lib>/moz.yaml - Version info, upstream URL, vendoring configuration, patches listmedia/<lib>/README_MOZILLA or README.md - Detailed update instructionsmedia/<lib>/*.patch - Local patches to applySome libraries store source in third_party/:
third_party/dav1d/ - dav1d sourcethird_party/aom/ - AOM sourcethird_party/highway/ - highway sourcethird_party/jpeg-xl/ - libjxl source./mach build./mach lint./mach format./mach cargo vet suggest - add any required audits./mach test --autoWhen a Rust crate update on central needs to be uplifted to older branches (ESR, beta, release), the process differs from a normal update because each branch may pin a different base revision of the crate.
Check what revision each branch uses:
# For each branch (esr140, beta, release)
git show origin/<branch>:toolkit/library/rust/shared/Cargo.toml | grep <crate-name>
Branches often share the same base revision (e.g., beta and release), so you may only need one or two backport branches.
If the upstream commit doesn't apply cleanly to a branch's base revision, create a backport branch on the upstream repo:
git clone <upstream-repo-url> /tmp/<repo>
cd /tmp/<repo>
# Create backport branch from the branch's base revision
git checkout -b backport-<branch> <base-revision>
# Cherry-pick the commit(s) from central's update
git cherry-pick <commit-hash>
# Push the backport branch
git push origin backport-<branch>
Note the resulting commit hash — this becomes the new rev for that Firefox branch.
# Check out the target branch
git checkout -b <branch>-uplift upstream/<branch>
# Edit Cargo.toml with the backport revision
# In toolkit/library/rust/shared/Cargo.toml, update the rev for the crate
# Update Cargo.lock
cargo update -p <crate-name>
# Vendor
./mach vendor rust
ESR branches may fail with cargo-vet errors (policy drift from central). In this case, use --force:
./mach vendor rust --force
--force Noise--force re-vendors ALL crates, adding .cargo_vcs_info.json, .github/, .travis.yml and other files to every crate. This produces 1000+ changed files. Only the target crate's changes should be kept.
# Unstage everything
git reset HEAD
# Restore all modified files EXCEPT the ones we want to keep
git diff --name-only | grep -v -E '^(\.cargo/config\.toml\.in|Cargo\.lock|toolkit/library/rust/shared/Cargo\.toml|third_party/rust/<crate-name>/)' | xargs git checkout --
# Remove all untracked noise files, keeping only the target crate
git ls-files --others --exclude-standard | grep -v 'third_party/rust/<crate-name>/' | xargs rm -f
# Clean up empty directories
find third_party/rust -type d -empty -delete 2>/dev/null
# Verify only target files remain
git status --short
Expected files after cleanup:
.cargo/config.toml.in — rev updateCargo.lock — lockfile updatetoolkit/library/rust/shared/Cargo.toml — rev updatethird_party/rust/<crate-name>/.cargo-checksum.json — updated checksumsthird_party/rust/<crate-name>/src/... — actual code changesmach try auto may fail on older branches with bugbug timeout errors (the bugbug service can't classify tasks for non-central revisions). Use mach try fuzzy as a reliable alternative:
# Build-only (fastest verification)
./mach try fuzzy -q "'build"
# If mach try auto works on the branch, that's also fine
./mach try auto
--force--force cleanup step is critical — without it you'll have 1000+ noise files in your patchapt install python3-venv (for libaom)--ignore-modified flag for step 2, or commit between steps./mach cargo vet certify <crate> <old> <new> --criteria safe-to-deploy --accept-all for each crate, then include supply-chain/audits.toml in the commit
[HINT] Download the complete skill directory including SKILL.md and all related files