-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[performance] make sure decompress is set to 4.2.0 #7715
Conversation
decompress 4.2.1 will cause a huge performance degradation in plugins deployment See: kevva/decompress#77 Signed-off-by: Amiram Wingarten <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
@amiramw can we revert back to If we revert back to I think |
@vince-fugnitto the fix to the security vulnerability caused the performance issue. what is the difference if in both cases the downstream project has to set its own version via reoslution? or did you mean to pin version via other method? |
The problem is that we specify a version range with this change that is too restrictive, we don't have the possibility as far as I know in a downstream app to use a resolution to pin it to a higher version (without the vulnerability). If we kept
|
I think you can define resolution that is not within the range defined by your dependency. See yarn documentation:
If you want to pin version via yarn.lock and not resolution then I think you are right. Anyway, if other consumers care more about the security vulnerability than this performance issue then I don't mind the revert. It should probably come with breaking change documentation explaining how to pin it. |
The main issue in my eyes is that, currently, we effectively force any downstream project to use an insecure dependency version, unless they take action to force otherwise (e.g. through a resolution). We're making it hard to do the right thing, security-wise.
Potentially. For it to matter, there would need to be a big degradation, that is noticeable for the user. I do not think I would notice if a plugin I am installing took To test this I have forked the linked (open in Gitpod to take advantage of the automated build or follow the instructions in README) Sample run on Gitpod # (total execution time, decompress v4.2.0)
real 0m2.695s
user 0m2.546s
sys 0m1.109s
# (total execution time, decompress v4.2.1)
real 0m4.763s
user 0m4.383s
sys 0m2.555s The relevant line to look-at is "real": So we're looking at a ballpark of
Not sure this qualifies as a breakage? Anyway I am in favour of adding an entry in I would not offer any advice on how to keep an older version in this case, though any downstream project are free to do as they please. |
The time penaly was huge when some heavy extensions were not bundled (I measured 3 minutes compared to 30 seconds ). |
Could you measure with intalling java extension? It is 50Mb. |
I think python is more interesting. As it has 2.5K files in the vsix. |
update: I think understand now. The concern is that the example from the main repo, that I used as a base for measurements, does not pull some of the heaviest extensions. |
I have updated my Gitpod example to add both the Java and Python extensions. Indeed the Python ext is the worst case I have seen so far. Here are a few scenarios: Only Python ext# (total execution time, decompress v4.2.0) # (total execution time, decompress v4.2.1) Only Java ext# (total execution time, decompress v4.2.0) # (total execution time, decompress v4.2.1) Python, Java and all extensions from main repo example app:# (total execution time, decompress v4.2.0) # (total execution time, decompress v4.2.1) Conclusion: with all the extensions from the main repo's example application, plus python and Java, it takes ~7s more to decompress all extensions, vs the earlier version of |
By bundling I mean using webpack or alike to reduce the number of files in the vsix. When vsix has thousands of files, like python, then a lot of time and cpu is spent by decompress. |
@amiramw thanks for the clarification.
Everything else being equal, extrapolating the Python case ( ~2.5k files takes about 12s to decompress), your extension probably contained a huge number of files, as in multiple tens of thousands, to take 3 mins? I propose that the best way forward is to start by adopting the latest |
At the time there were several extensions with ~10K files each. And yes, vsce showed warnings and suggested bundling. |
decompress 4.2.1 will cause a huge performance degradation in plugins deployment
See: kevva/decompress#77
Signed-off-by: Amiram Wingarten [email protected]
What it does
Set decompress dependency on plugin-ext to 4.2.0 exactly as 4.2.1 brings major performance degredation. This fixed version will make sure that theia and dependent projects don't build their product with 4.2.1.
How to test
If yarn.lock is deleted and theia is built with decompress 4.2.1 the loading of vsix files takes very high CPU and takes at least twice compared to current situation.
With current theia yarn.lock decompress is still 4.2.0 so there is no current problem.
Review checklist
Reminder for reviewers