[In Progress] Chore: TR-3008 update 3rd party deps #175
Conversation
Nicholass
changed the title
package.json
Outdated
| "handlebars": "^4.7.8", | ||
| "interactjs": "1.3.4", | ||
| "jquery": "1.9.1", | ||
| "jquery": "^3.7.1", | ||
| "jquery-mockjax": "^2.6.0", | ||
| "jquery-simulate": "^1.0.2", | ||
| "lodash": "2.4.1", | ||
| "lodash": "^4.17.21", |
There was a problem hiding this comment.
I'm not sure we can get away with casually bumping all these libs.
The reason is that tao-core-sdk is not used in isolation, it is used as part of a fully-installed TAO where several other components are still using handlebars 1.3.0, jquery 1.9.1 and lodash 2.4.1. In some cases we would have a conflict in the browser (jquery for sure / lodash not sure).
That's why we intend to handle the upgrade of these libs with a dedicated task designed to upgrade each one in all places at the same time.
- Handlebars: https://oat-sa.atlassian.net/browse/TR-3264
- Jquery: https://oat-sa.atlassian.net/browse/TR-3262
- Lodash: task doesn't exist, but perhaps it should
The overall initiative to move some lodash usages to the v4 API is good, though. If you want to concentrate on that, you can continue, but be sure to test this library installed in tao-core in a full TAO Community.
There was a problem hiding this comment.
I realized that this one is indeed to risky. I guess I'll go with npm audit fix without --force for now.
There was a problem hiding this comment.
BTW, as Martin explained, you should have a look at how the FE packages relate to each other on TAO.
We have a bunch of libraries that are dependent on each other, hierarchically. When updating one, you need to spread the change across all others.
As a quick overview, we have in order:
- tao-core-shared-libs
- tao-core-libs
- tao-core-sdk
- tao-core-ui
- tao-item-runner
- tao-item-runner-qti
- tao-test-runner
- tao-test-runner-qti
And besides that, a galaxy of smaller packages that are consumed for the tooling, like:
- grunt-tao-bundle
- browserslist-config-tao
- eslint-config-tao
- prettier-config
- etc.
And some other specific libraries...
In TAO, we also have extensions that will contain frontend code too, consuming and relying on the above-mentioned libs.
A change in lodash, will impact all of that. The same with jQuery, Handlebars, Select2... Because these are peer dependencies, and only one version at a time is supported. If you update one in a package, it will conflict with the version required in another package.
In other words, we cannot update a single package without taking care of all of the others that depend on it
package.json
Outdated
| @@ -81,7 +81,7 @@ | |||
| "rollup-plugin-istanbul": "^2.0.1", | |||
| "rollup-plugin-json": "^4.0.0", | |||
| "rollup-plugin-node-resolve": "^5.2.0", | |||
| "select2": "3.5.1", | |||
| "select2": "^4.1.0-rc.0", | |||
There was a problem hiding this comment.
Have you checked what breaking changes are announced in select2 v4? Could it affect us?
There was a problem hiding this comment.
issue: This breaks TAO. We cannot upgrade Select2 for the time being, the code is not compatible, and a significant migration is required. Moreover, we should not use RC without a very good reason.
src/core/databinder.js
Outdated
| @@ -584,7 +584,7 @@ DataBinder.prototype._setNodeValue = function _setNodeValue($node, value) { | |||
| } | |||
|
|
|||
| //assign value | |||
| if (_.contains(['INPUT', 'SELECT', 'TEXTAREA'], $node[0].nodeName)) { | |||
| if (_.includes(['INPUT', 'SELECT', 'TEXTAREA'], $node[0].nodeName)) { | |||
There was a problem hiding this comment.
A better replacement might be vanilla Array.includes(). It would ease the work of upgrading lodash v2 to v4, if we end up doing that later.
| @@ -25,7 +25,7 @@ jobs: | |||
| node-version: 18.x | |||
| registry-url: https://registry.npmjs.org | |||
| - name: Install packages | |||
| run: npm ci | |||
| run: npm ci --legacy-peer-deps | |||
There was a problem hiding this comment.
This needs explanation too.
| @@ -25,7 +25,7 @@ jobs: | |||
| node-version: 18.x | |||
| registry-url: https://registry.npmjs.org | |||
| - name: Install packages | |||
| run: npm ci | |||
| run: npm ci --legacy-peer-deps | |||
There was a problem hiding this comment.
issue: This is adding an exception in the install flow. Setting install options in the CI won't remove issues when installing locally. A better approach is to rely on a local .npmrc so that the experience is seamless for everyone.
package.json
Outdated
| "handlebars": "^4.7.8", | ||
| "interactjs": "1.3.4", | ||
| "jquery": "1.9.1", | ||
| "jquery": "^3.7.1", |
There was a problem hiding this comment.
issue: This is breaking everything in TAO. Please do not apply blindly a version bump without properly migrating the code, especially when breaking changes are involved.
FYI, we already have tasks for taking care of these particular dependencies, as Martin already spotted.
package.json
Outdated
| @@ -81,7 +81,7 @@ | |||
| "rollup-plugin-istanbul": "^2.0.1", | |||
| "rollup-plugin-json": "^4.0.0", | |||
| "rollup-plugin-node-resolve": "^5.2.0", | |||
| "select2": "3.5.1", | |||
| "select2": "^4.1.0-rc.0", | |||
There was a problem hiding this comment.
issue: This breaks TAO. We cannot upgrade Select2 for the time being, the code is not compatible, and a significant migration is required. Moreover, we should not use RC without a very good reason.
reverted `--force` part. tests now good
Nicholass
force-pushed
the
chore/tr-3008/update-3rd-party-deps
branch
from
eed61c5
to
a56c89c
Compare
Version
There are 0 BREAKING CHANGE, 0 feature, 0 fix |
Coverage Report
|
|
it looks like less "Aggresive" version bump gives nothing but 1 high issue in addition |
Replaced deprecated lodash method calls
Tested with: