The main goal of this issue is to avoid scanners (Dependabot
and friends), reporting about security issues with the current
xmldom 0.6.0 package.
Note that this doesn't affect prod at all, because it's a dev
dependency, hardly exploitable. So it's not a security fix, just
a security_benefit, if something.
So here, we are updating from xmldom 0.6.0 to @xmldom/xmldom 0.8.7
(note that the package was renamed in 0.7.0, so it's the very same)
Also, when proceeding with the changes, it was detected that we
are incorrectly declaring @babel/eslint-parser as a normal dependency
instead of a development one, so we are also fixing that little detail.
The commands executed to get the changes above applied have been:
- nvm use
- npm install @xmldom/xmldom@^0.8.7 --save-dev
- npm uninstall xmldom
- npm install @babel/eslint-parser@^7.17.0 --save-dev
(we haven't run a complete re-install because we only want to modify
the minimum possible at this stage).
A new grunt task, upgradablelibs, has been added in order to get the
list of libraries that have a newer version in their repositories.
Co-author: Andrew Lyons <andrew@moodle.com>
This commit switches to a new custom version of Shifter which sees it
put on a massive diet.
Many of the standard Shifter features are totally unused by Moodle, but
they add dependency spaghetti. Some of those dependencies will start to
cause us issues as they have not been updated for a very long time, are
no longer maintained, and are no longer compatible with anything
resembling a recent version of NodeJS.
This resolves an issue identified in 77083 which identified that GitHub
hashes shouldn't be treated as repeatable.
Whilst GitHub have reverted this change, it's still worth making this
change.
Unfortunately the babel minify-mangle plugin seems to be abandoned and
in certain circumstances can be very buggy. The only safe options are to
disable it, or to switch to a different minification library.
Not minifying our javascript is not ideal, so this commit updates the
javascript tasks to use a rollup, combined with babel, and terser.
Babel still converts code from ES/UMD/AMD to AMD modules with the
relevant browser support, whilst terser minifies the code.
The rollup bundler handles tracking and creation of sourcemaps, and
supports better parallelisation of the tasks.
Since the upgrade to Node LTS/Gallium requires an upgrade to @babel/core
and eslint, which change the built files anyway, this seems like the
ideal time to make this change.
Without modifying any installed package or dependency
because, after trying to do so, the updated stuff is huge
and leads to some JS validation / minimisation problems.
This new task handles building of component library documentation,
including the markdown to HTML, an index of the generated content used
for searching, and the CSS for the component library.
This change bumps the version of Shifter that we use to the final
release - version 1.2.0.
I strongly doubt that there will be more releases, and this release was
over two years ago.
This version uses a newer version of Istanbul, and fixes to use that
specific version of Istanbul. As a result I have forked Shifter and
applied the Moodle Circular Dependency fixes there instead.
This version also inludes an upgrade to uglify from 1.3.x to 2.4.x. This
major upgrade includes a some changes to the built YUI module code.
This change updates most libraries used in our Grunt build stack and
applies necessary changes to Grunt and Gherkin-lint configuration to
ensure that they continue to work.
The grunt-sass plugin has been updated to support alternative
'implementations' of sass compilers, and the chosen sass compiler must
now be specified in the grunt configuration. We continue to use the
`node-sass` package for this.
Our gherkin-lintrc included two rules which were renamed from
'no-unamed-*' to 'no-unnamed-*'. This change occurred in version 2.0.0
of Gherkin-lint and has no other effect.
Shifter is using an ancient and no-longer supported of Istanbul. That
version contains a circular dependency whereby it fetches the version
from the index that included the file in the first place. This throws a
warning on newer versions of Node.
The fix here is simple and intended to be the bare minimum to remove
these warnings anad resolve the issue.
We have forked the istanbul project and created a v0.1.37_moodle branch
at the root version of the Istanbul version that Shifter uses (v0.1.37
tag). The circular dependency is then addressed and a new tag created.
I have then forked Shifter, pointing its package.json at the tar.gz
download of that new tag and pushed a new branch and tag for that fix.
Following this our own package.json is updated to point to the tar.gz
version of the new Shifter tag.
Version 14.0.0 has just been released as stable, and will make its way
to an LTS release which will be supported until 30th April 2023.
At time of writing it is the "Current stable" release and will remain in
this phase until 20th October 2020, at whciih point it will transition
to LTS status.
