2) We often don't know which versions we are using, because it is not noted down consistently.
3) It's hard to update those libraries, they need to be manually copy pasted
4) Because of this libraries go unupdated endlessly
5) It's 3rd party code that is duplicated inside our repositories.
6) It makes it harder to developing our own code depending on these
7) We have several inconsistent conventions right now.
Who will benefit:
1) Developers: Development speed (predictability, fast installation, easier updating)
2) Security: Our ability to know about and deal with security problems in 3rd party libs
3) Possibly, WMF Deployment team.
What We need.
2) We need to implement a way to make the selected system scalable and usable for both end users, developers and WMF deploymen
3) (optional) deduplication of libraries
4) (optional) predictability of versions used of libraries based on 1. (lock files, shrinkwrap).
5) (optional) packaging download and update platform (npmjs etc)
Possible solutions are:
1) [[ https://yarnpkg.com | Yarn ]] an NPM compatible client that combines benefits of composer (vendor dir, versioncontract/lock file, package deduplication etc).
2) Plain NPM for external users and developer, And then build a WMF specific 'vendor' concept on top and other things we need. maybe some CDNJS like system perhaps ?
3) Specify a structure for how to import libraries into our extensions (RL flag ?), so that it is more clear what we use, what versions they are etc.
4) Turn JS libraries into composer packages.