Page MenuHomePhabricator

Popups: Upgrade Popups dependencies
Closed, ResolvedPublic5 Story Points

Description

Keeping up to date with external software dependencies is important to keep code healthy.

The list of outdated NPM dependencies is currently:

Package               Current  Wanted  Latest
babel-loader            7.1.4   7.1.4   8.0.4
babel-preset-env        1.6.0   1.6.0   1.7.0
babel-register         6.24.1  6.24.1  6.26.0
bundlesize             0.15.3  0.15.3  0.17.0
clean-webpack-plugin   0.1.19  0.1.19   1.0.0
eslint-plugin-qunit     3.3.1   3.3.1   4.0.0
grunt-contrib-watch     1.0.1   1.0.1   1.1.0
husky                  0.13.3  0.13.3   1.1.3
nyc                    12.0.2  12.0.2  13.1.0
redux                   3.6.0   3.6.0   4.0.1
redux-thunk             2.2.0   2.2.0   2.3.0
stylelint               9.2.0   9.2.0   9.8.0
wdio-mocha-framework    0.6.1   0.6.1   0.6.4
wdio-spec-reporter      0.1.4   0.1.4   0.1.5
webdriverio            4.13.1  4.13.1  4.14.0
webpack                 4.1.1   4.1.1  4.25.1
webpack-cli            2.0.12  2.0.12   3.1.2

Some of these are major version-breaking upgrades and should be performed with great caution. The changelists for all upgrades should be reviewed with important changes summarized in the commit message. It is the duty of the committer to socialize important updates to the rest of the team, task new functionality we should use, do their best to confirm no unwanted changes will be inherited, and minimize risk. Please do your due diligence!

Acceptance criteria

  • Upgrade each library to latest
  • We should switch out husky with precommit (for consistency with other repos e.g. MobileFrontend)

Developer notes

Clean upgrades are tricky. Most packages are to do with testing.

  • webpack and redux upgrades are going to be the biggest concern, since they impact the code.
  • nyc, webpack-cli,eslint-plugin-qunit, babel-loader and redux likely to have breaking changes.
  • Important: If a library upgrade proves too difficult we have agreed to setup a new task and descope as part of this task to give the upgrade the attention it deserves.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 12 2018, 9:13 PM

(Removed unintentionally added local package, TypeScript.)

Jdlrobson updated the task description. (Show Details)Nov 13 2018, 5:58 PM
Jdlrobson set the point value for this task to 5.
phuedx added a subscriber: phuedx.Nov 13 2018, 6:03 PM

I estimated a 5 because:

  • The majority of these packages are dev-only and don't affect Popups' behaviour or build output.
  • Webpack does affect the build output but is a minor version bump, which implies that there shouldn't be any breaking changes.
  • I'm most concerned about the Redux version bump as it's a major, which does imply that there're breaking changes. IIRC there aren't a huge number of tests (but there are some!) covering the integration of the Popups codebase with the Redux library.
Jdlrobson renamed this task from Upgrade Popups dependencies to Popups: Upgrade Popups dependencies .Nov 15 2018, 6:44 PM
nray claimed this task.Dec 10 2018, 4:29 PM
nray added a subscriber: nray.

Change 479482 had a related patch set uploaded (by Nray; owner: Nick Ray):
[mediawiki/extensions/Popups@master] Upgrade bundlesize, clean-webpack-plugin, grunt-contrib-watch, nyc

https://gerrit.wikimedia.org/r/479482

Change 479483 had a related patch set uploaded (by Nray; owner: Nick Ray):
[mediawiki/extensions/Popups@master] Upgrade elint-config-wikimedia (drop eslint-plugin-qunit)

https://gerrit.wikimedia.org/r/479483

Change 479484 had a related patch set uploaded (by Nray; owner: Nick Ray):
[mediawiki/extensions/Popups@master] Upgrade stylelint-config-wikimedia and remove stylelint

https://gerrit.wikimedia.org/r/479484

Change 479485 had a related patch set uploaded (by Nray; owner: Nick Ray):
[mediawiki/extensions/Popups@master] Replace husky dependency with pre-commit

https://gerrit.wikimedia.org/r/479485

Change 479486 had a related patch set uploaded (by Nray; owner: Nick Ray):
[mediawiki/extensions/Popups@master] Upgrade webdriverio / wdio-spec-reporter

https://gerrit.wikimedia.org/r/479486

Change 479487 had a related patch set uploaded (by Nray; owner: Nray):
[mediawiki/extensions/Popups@master] Upgrade webpack / webpack-cli

https://gerrit.wikimedia.org/r/479487

Change 479488 had a related patch set uploaded (by Nray; owner: Nray):
[mediawiki/extensions/Popups@master] Upgrade redux / redux-thunk

https://gerrit.wikimedia.org/r/479488

nray removed nray as the assignee of this task.Dec 13 2018, 10:24 PM

Change 479482 merged by jenkins-bot:
[mediawiki/extensions/Popups@master] Upgrade bundlesize, clean-webpack-plugin, grunt-contrib-watch, nyc

https://gerrit.wikimedia.org/r/479482

Change 479483 merged by jenkins-bot:
[mediawiki/extensions/Popups@master] Upgrade elint-config-wikimedia (drop eslint-plugin-qunit)

https://gerrit.wikimedia.org/r/479483

Change 479484 merged by jenkins-bot:
[mediawiki/extensions/Popups@master] Upgrade stylelint-config-wikimedia and remove stylelint

https://gerrit.wikimedia.org/r/479484

Change 479485 merged by jenkins-bot:
[mediawiki/extensions/Popups@master] Replace husky dependency with pre-commit

https://gerrit.wikimedia.org/r/479485

Change 479486 merged by jenkins-bot:
[mediawiki/extensions/Popups@master] Upgrade webdriverio / wdio-spec-reporter

https://gerrit.wikimedia.org/r/479486

Change 479487 merged by jenkins-bot:
[mediawiki/extensions/Popups@master] Upgrade webpack / webpack-cli

https://gerrit.wikimedia.org/r/479487

A run of npm outdated tells me:
Package Current Wanted Latest Location
wdio-mocha-framework 0.6.3 0.6.3 0.6.4

Should we bump wdio-mocha-framework the extra step?

Per npm audit, there are 4 "high" vulnerabilities (with 44 "moderate" and 11 "low").

Thanks for that @Shreyasminocha! Annoyingly in production we are using node 6 so we can't benefit from these audits (have to do them manually every now and again). You are right though that these are dev dependencies.

I'm seeing just one issue now that could be resolved with

Run  npm install --save-dev grunt-contrib-watch@1.1.0  to resolve 2 vulnerabilities

Change 479488 merged by jenkins-bot:
[mediawiki/extensions/Popups@master] Upgrade redux / redux-thunk

https://gerrit.wikimedia.org/r/479488

nray added a comment.Dec 14 2018, 5:08 PM

A run of npm outdated tells me:
Package Current Wanted Latest Location
wdio-mocha-framework 0.6.3 0.6.3 0.6.4
Should we bump wdio-mocha-framework the extra step?

Per npm audit, there are 4 "high" vulnerabilities (with 44 "moderate" and 11 "low").

Thanks for that @Shreyasminocha! Annoyingly in production we are using node 6 so we can't benefit from these audits (have to do them manually every now and again). You are right though that these are dev dependencies.
I'm seeing just one issue now that could be resolved with

Run  npm install --save-dev grunt-contrib-watch@1.1.0  to resolve 2 vulnerabilities

@Jdlrobson the commit message for https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Popups/+/479486/ talks about why I chose not to upgrade wdio-mocha-framework to 0.6.4.

Grunt-contrib-watch was upgraded to 1.1.0 in https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Popups/+/479482/

Jdrewniak closed this task as Resolved.Dec 18 2018, 12:26 PM

LGTM 👍