-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[In Progress] Chore: TR-3008 update 3rd party deps #175
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current changes look too risky, but don't give up. Run a full TAO instance to understand which libs could or couldn't be safely upgraded.
package.json
Outdated
"handlebars": "^4.7.8", | ||
"interactjs": "1.3.4", | ||
"jquery": "1.9.1", | ||
"jquery": "^3.7.1", | ||
"jquery-mockjax": "^2.6.0", | ||
"jquery-simulate": "^1.0.2", | ||
"lodash": "2.4.1", | ||
"lodash": "^4.17.21", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure we can get away with casually bumping all these libs.
The reason is that tao-core-sdk
is not used in isolation, it is used as part of a fully-installed TAO where several other components are still using handlebars 1.3.0, jquery 1.9.1 and lodash 2.4.1. In some cases we would have a conflict in the browser (jquery for sure / lodash not sure).
That's why we intend to handle the upgrade of these libs with a dedicated task designed to upgrade each one in all places at the same time.
- Handlebars: https://oat-sa.atlassian.net/browse/TR-3264
- Jquery: https://oat-sa.atlassian.net/browse/TR-3262
- Lodash: task doesn't exist, but perhaps it should
The overall initiative to move some lodash usages to the v4 API is good, though. If you want to concentrate on that, you can continue, but be sure to test this library installed in tao-core in a full TAO Community.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I realized that this one is indeed to risky. I guess I'll go with npm audit fix
without --force
for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, as Martin explained, you should have a look at how the FE packages relate to each other on TAO.
We have a bunch of libraries that are dependent on each other, hierarchically. When updating one, you need to spread the change across all others.
As a quick overview, we have in order:
- tao-core-shared-libs
- tao-core-libs
- tao-core-sdk
- tao-core-ui
- tao-item-runner
- tao-item-runner-qti
- tao-test-runner
- tao-test-runner-qti
And besides that, a galaxy of smaller packages that are consumed for the tooling, like:
- grunt-tao-bundle
- browserslist-config-tao
- eslint-config-tao
- prettier-config
- etc.
And some other specific libraries...
In TAO, we also have extensions that will contain frontend code too, consuming and relying on the above-mentioned libs.
A change in lodash, will impact all of that. The same with jQuery, Handlebars, Select2... Because these are peer dependencies, and only one version at a time is supported. If you update one in a package, it will conflict with the version required in another package.
In other words, we cannot update a single package without taking care of all of the others that depend on it
package.json
Outdated
@@ -81,7 +81,7 @@ | |||
"rollup-plugin-istanbul": "^2.0.1", | |||
"rollup-plugin-json": "^4.0.0", | |||
"rollup-plugin-node-resolve": "^5.2.0", | |||
"select2": "3.5.1", | |||
"select2": "^4.1.0-rc.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you checked what breaking changes are announced in select2
v4? Could it affect us?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
issue: This breaks TAO. We cannot upgrade Select2 for the time being, the code is not compatible, and a significant migration is required. Moreover, we should not use RC without a very good reason.
src/core/databinder.js
Outdated
@@ -584,7 +584,7 @@ DataBinder.prototype._setNodeValue = function _setNodeValue($node, value) { | |||
} | |||
|
|||
//assign value | |||
if (_.contains(['INPUT', 'SELECT', 'TEXTAREA'], $node[0].nodeName)) { | |||
if (_.includes(['INPUT', 'SELECT', 'TEXTAREA'], $node[0].nodeName)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A better replacement might be vanilla Array.includes()
. It would ease the work of upgrading lodash v2 to v4, if we end up doing that later.
@@ -25,7 +25,7 @@ jobs: | |||
node-version: 18.x | |||
registry-url: https://registry.npmjs.org | |||
- name: Install packages | |||
run: npm ci | |||
run: npm ci --legacy-peer-deps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs explanation too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, I understand the good intent, but I'm afraid this PR needs to be closed. None of the proposed version upgrades is acceptable in the state.
FYI, we have specific tickets for taking care of these major upgrades.
@@ -25,7 +25,7 @@ jobs: | |||
node-version: 18.x | |||
registry-url: https://registry.npmjs.org | |||
- name: Install packages | |||
run: npm ci | |||
run: npm ci --legacy-peer-deps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
issue: This is adding an exception in the install flow. Setting install options in the CI won't remove issues when installing locally. A better approach is to rely on a local .npmrc
so that the experience is seamless for everyone.
package.json
Outdated
"handlebars": "^4.7.8", | ||
"interactjs": "1.3.4", | ||
"jquery": "1.9.1", | ||
"jquery": "^3.7.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
issue: This is breaking everything in TAO. Please do not apply blindly a version bump without properly migrating the code, especially when breaking changes are involved.
FYI, we already have tasks for taking care of these particular dependencies, as Martin already spotted.
package.json
Outdated
@@ -81,7 +81,7 @@ | |||
"rollup-plugin-istanbul": "^2.0.1", | |||
"rollup-plugin-json": "^4.0.0", | |||
"rollup-plugin-node-resolve": "^5.2.0", | |||
"select2": "3.5.1", | |||
"select2": "^4.1.0-rc.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
issue: This breaks TAO. We cannot upgrade Select2 for the time being, the code is not compatible, and a significant migration is required. Moreover, we should not use RC without a very good reason.
reverted `--force` part. tests now good
eed61c5
to
a56c89c
Compare
Version
There are 0 BREAKING CHANGE, 0 feature, 0 fix |
it looks like less "Aggresive" version bump gives nothing but 1 high issue in addition |
Replaced deprecated lodash method calls
Tested with: