Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump to 4.15.2-0 #4195

Merged
merged 23 commits into from
Mar 25, 2022
Merged

Bump to 4.15.2-0 #4195

merged 23 commits into from
Mar 25, 2022

Conversation

compulim
Copy link
Contributor

@compulim compulim commented Mar 4, 2022
edited
Loading

Related to #4192.

Changelog Entry

Changed

Description

Using node@16 for npm install and updated package-lock.json to version 2.

Bump all dependencies after release of 4.15.0, except Adaptive Cards and Cognitive Services Speech SDK, as they could require more efforts.

Added npm run bump scripts, to run them:

  • If the package is NOT maintained by lerna, run npm run bump
  • If the package is maintained by lerna, such as packages/bundle:
    1. Edit package.json to remove local peer dependencies
    2. Run npm run bump
    3. Edit package.json to add back removed local peer dependencies
    4. Run lerna bootstrap
    5. (Steps above are equivalent to what lerna did internally for lerna add and lerna bootstrap)

After bumping deps, we observe there are still a very few moderate or lower vulnerability related to create-react-app.

Design

npm run bump scripts

We added a quick NPM script to bumping dependencies.

For development dependencies, it will bump using ^ semver, excluding those marked by skipBump section in package.json.

npm install $(cat package.json | jq -r '(.devDependencies | keys) - .skipBump | .[]' | awk '{print $1 \"@latest\"}')

For production dependencies, it will bump as exact, excluding those marked by skipBump section in package.json.

npm install --save-exact $(cat package.json | jq -r '(.dependencies | keys) - .skipBump | .[]' | awk '{print $1 \"@latest\"}')

The version bump cannot be automated yet as it requires some manual work for lerna maintained packages.

Note: npm update will only update the deps in package-lock.json and to the semver specifier. When our iteration starts, we want to bump most dependencies to latest version even if they could be breaking.

Version considerations

We intentionally use @types/react@17 while we are using react@16, for VFC type and a few event handler mismatches.

At root level, we kept the following packages at lower version, as they are used by Jest and [email protected] (as of now) does not support ESM without an experimental flag:

Node.js 14 instead of 16 on Azure DevOps pipeline

We tried but could not enable npm@8 on Azure DevOps because of an issue when fetching [email protected], it would result in 404. Looks like Azure Artifacts is not able to "mirror" the NPM registry quickly enough. This specific version of [email protected] was released 6 months ago.

Falling back to Node.js 14 with NPM 6 works though.

I also tried p-defer and Azure Artifacts did not mirror the latest 4.0.0 version, it kept at 3.0.0. Compare the result below between NPMJS and Azure Artifacts.

compulim@ubuntu:~$ curl --silent https://registry.npmjs.org/p-defer | jq .time
{
  "modified": "2021-04-09T05:22:44.627Z",
  "created": "2016-10-21T05:14:31.906Z",
  "1.0.0": "2016-10-21T05:14:31.906Z",
  "2.0.0": "2019-03-17T12:27:03.960Z",
  "2.0.1": "2019-03-23T08:56:36.724Z",
  "2.1.0": "2019-04-03T05:21:21.381Z",
  "3.0.0": "2019-06-07T08:11:13.854Z",
  "4.0.0": "2021-04-09T05:22:42.429Z"
}
compulim@ubuntu:~$ curl -H "Authorization: Basic ..." --silent https://XXX.pkgs.visualstudio.com/_packaging/XXX/npm/registry/p-defer | jq .time
{
  "created": "2018-09-17T16:54:32Z",
  "modified": "2022-01-13T04:46:30Z",
  "1.0.0": "2018-09-17T16:54:32Z",
  "3.0.0": "2022-01-13T04:46:30Z"
}

When fetching p-defer-4.0.0tgz from Azure Artifacts:

compulim@ubuntu:~/$ curl -H "Authorization: Basic ..." --silent https://XXX.pkgs.visualstudio.com/_packaging/XXX/npm/registry/p-defer/-/p-defer-4.0.0.tgz | jq .
{
  "success": "false",
  "error": "Cannot find the file p-defer-4.0.0.tgz in package 'p-defer 4.0.0' in feed 'FuseNPM'",
  "reason": "Cannot find the file p-defer-4.0.0.tgz in package 'p-defer 4.0.0' in feed 'FuseNPM'",
  "innerException": null,
  "message": "Cannot find the file p-defer-4.0.0.tgz in package 'p-defer 4.0.0' in feed 'FuseNPM'",
  "typeName": "Microsoft.VisualStudio.Services.Packaging.Shared.WebApi.Exceptions.PackageNotFoundException, Microsoft.VisualStudio.Services.Packaging.Shared.WebApi, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",
  "typeKey": "PackageNotFoundException",
  "errorCode": 0,
  "eventId": 3000
}

Specific Changes

  • I have added tests and executed them locally
  • I have updated CHANGELOG.md
  • I have updated documentation

Review Checklist

This section is for contributors to review your work.

  • Accessibility reviewed (tab order, content readability, alt text, color contrast)
  • Browser and platform compatibilities reviewed
  • CSS styles reviewed (minimal rules, no z-index)
  • Documents reviewed (docs, samples, live demo)
  • Internationalization reviewed (strings, unit formatting)
  • package.json and package-lock.json reviewed
  • Security reviewed (no data URIs, check for nonce leak)
  • Tests reviewed (coverage, legitimacy)

@compulim compulim marked this pull request as ready for review March 10, 2022 17:49
@compulim compulim added the p0 Must Fix. Release-blocker label Mar 15, 2022
@compulim compulim changed the title Bump to 4.15.1-0 Bump to 4.15.2-0 Mar 15, 2022
@cwhitten
Copy link
Member

Bumping these dependencies really adds 300k LoC?

@tonyanziano
Copy link
Contributor

Bumping these dependencies really adds 300k LoC?

I think the bulk of it is package-lock.json diffs:

image

@compulim compulim merged commit cc43231 into microsoft:main Mar 25, 2022
@compulim compulim deleted the bump-4.15.1-0 branch March 25, 2022 18:10
@compulim compulim mentioned this pull request Apr 5, 2022
Merged
11 tasks
@compulim compulim mentioned this pull request May 6, 2022
Closed
71 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwhitten cwhitten cwhitten approved these changes

@a-b-r-o-w-n a-b-r-o-w-n Awaiting requested review from a-b-r-o-w-n a-b-r-o-w-n is a code owner

@srinaath srinaath Awaiting requested review from srinaath srinaath is a code owner

@tdurnford tdurnford Awaiting requested review from tdurnford tdurnford is a code owner

@tonyanziano tonyanziano Awaiting requested review from tonyanziano

@beyackle beyackle Awaiting requested review from beyackle

Assignees
No one assigned
Labels
p0 Must Fix. Release-blocker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@compulim @cwhitten @tonyanziano