Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release @kbn/handlebars to npm #150522

Open
watson opened this issue Feb 8, 2023 · 7 comments
Open

Release @kbn/handlebars to npm #150522

watson opened this issue Feb 8, 2023 · 7 comments
Assignees
Labels
Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@watson
Copy link
Contributor

watson commented Feb 8, 2023

I think it would be a great idea to release our version of the handlebars (currently named @kbn/handlebars) to npm under the name @elastic/handlebars.

The reasons are:

  1. More eyes on the source code means more secure and less buggy source code.
  2. Great opportunities for conference talks and blog posts about why we made it, how we made it, and how it can improve the security of other peoples applications.
  3. Giving back to the community is just the right thing to do.

I often hear that we don't want to release a piece of code to npm because it gives us an extra maintenance burden. However, I think this is completely wrong because:

  1. As long as we still use it ourselves it's in our own best interest to maintain it.
  2. If a user asks to have a feature added which we don't require ourselves, we don't have to comply. It's our project and we choose what to include in it. There's nothing wrong with that.
  3. If we stop using it ourselves and feel the burden of maintaining it for others is too big, we can either:
    • Move it to a community maintained org on GitHub and invite collaborators to take it over.
    • Just deprecate it. We're not required to maintain something forever just because we once made it public.

So as I see it, the upsides of releasing this to npm far outweighs the theoretical downsides.

@watson watson added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Feb 8, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego
Copy link
Member

legrego commented Feb 8, 2023

I would also be interested in seeing if Handlebars would accept these improvements upstream as a runtime option: handlebars-lang/handlebars.js#1934

@u873838
Copy link

u873838 commented Sep 6, 2023

Any update on this?

@djahandarie
Copy link

Thank you so much for doing this. We use this in our MV3 extension yomitan (no eval is allowed). It'd be great if you could package this, as it'd make our build process much cleaner. (FWIW, I think it's more ideal for us as a fork, as the eval is clearly eliminated from the codebase that way.)

@legrego
Copy link
Member

legrego commented Nov 29, 2023

@elastic/kibana-operations what is the best way for us to proceed? Changing the namespace to @elastic instead of @kbn is straightforward, but do we have precedence for publishing modules to npm which reside within the Kibana monorepo? It seems like we don't have any @elastic-namespaces packages in the repo anymore.

One-off publishing may be easy enough to accomplish, but having a dedicated workflow to follow would be best for long-term sustainability & security.

@jbudz
Copy link
Member

jbudz commented Nov 29, 2023

@elastic/kibana-operations what is the best way for us to proceed? Changing the namespace to @elastic instead of @kbn is straightforward, but do we have precedence for publishing modules to npm which reside within the Kibana monorepo? It seems like we don't have any @elastic-namespaces packages in the repo anymore.

We don't, it's not supported under the current packaging workflow. The remaining elastic namespace packages were removed in #138957.

The recommendation is to split the package out into a new repository.

@davidfant
Copy link

For those looking, I created a kibana fork to publish kbn-handlebars: https://www.npmjs.com/package/kbn-handlebars
davidfant@e3e925c

@kc13greiner kc13greiner self-assigned this Jun 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Development

No branches or pull requests

8 participants