Replace Bower (and libs/) with npm #12067
Comments
Findus23
added
c: Platform
|
An example package.json: {
"name": "piwik",
"version": "1.0.0",
"description": "the leading free/libre analytics platform",
"main": "piwik.js",
"directories": {
"test": "tests"
},
"repository": {
"type": "git",
"url": "git+https://github.com/piwik/piwik.git"
},
"author": "Piwik.org <hello@piwik.org>",
"license": "GPL-3.0+",
"bugs": {
"url": "https://github.com/piwik/piwik/issues"
},
"dependencies": {
"jquery-ui": "1.10.4",
"jquery": "~2.2.0",
"angular": "~1.6.0",
"angular-sanitize": "~1.6.0",
"angular-animate": "~1.6.0",
"angular-cookies": "~1.6.0",
"angular-mocks": "~1.6.0",
"ng-dialog": "~1.3.0",
"html5shiv": "~3.7.0",
"mousetrap": "~1.4.0",
"sprintf-js": "~1.0.0",
"jscrollpane": "~2.0.0",
"jquery-mousewheel": "~3.1.12",
"jquery-placeholder": "~2.0.7",
"jquery.dotdotdot": "~1.7.2",
"jquery.scrollto": "~1.4.13",
"chroma-js": "~0.6.0",
"visibilityjs": "~1.2.1"
},
"keywords": [
"piwik",
"web",
"analytics"
],
"homepage": "http://piwik.org"
} |
FYI the reason we put all JS files in the repository is so that people can easily use Piwik from GIT: https://piwik.org/faq/how-to-install/faq_18271/
There are services that read the bower.json and composer files and report any outdated library, so far we have tried this tool: https://gemnasium.com/piwik/piwik (currently doesn't load but may be temporary issue). |
|
If it helps to maintain and easily update the libs, I wouldn't mind using npm or similar to maintain all (non php) dependencies. We still could commit those libraries to git, so it can be directly used. |
|
I agree that this would be a breaking change and probably should be made with Piwik 4. But I am still quite against checking the resulting I'd really recommend to do it the same way as PHP dependecies in composer (run npm install on tests and build script, do updates similar to #11780, still remove unwanted directories in the build script |
|
Another idea would be adding the libraries in /tests/libs as dev-dependecies in the package.json. UPDATE: I feel like this folder needs a cleanup equally desperately: The java-folder holds 7-9 year old java files without a license or context. And screenshot-testing has an empty node_modules folder |
|
+1 definitely to switch to |
Yes, you're most welcome to remove anything un-used there 👍 (we iterated a lot in tests over the last 4 years and definitely a few things could be cleaned up) |
|
While npm is still not the fastest package manager it definitly improved. And one factor is that we are mostly using flat dependecies (e.g. jquery) instead of fetching (server-side) node-modules which hundreds of dependencies each. |
Seems like github now also offers this functionality out of the box (even though it seems a bit like work in progress) |
|
(slightly out of topic, this article about NPM is a really interesting read: I’m harvesting credit card numbers and passwords from your site. Here’s how.) |
|
important note: let's not upgrade Jquery library. Because Matomo for Wordpress uses the Jquery provided by WP which is old. Only when WordPress upgrades their Jquery then we can upgrade ours. Sounds funny but unfortunately that's the case for now. |
@mattab Could you expand on that please? I fail to understand what wordpress is doing here. What could be the reason to ship vulnerable and outdated code to your users?
Again, I fail to understand your point of view here. How is shipping libraries that are never updated a good thing? Look into this directory: https://github.com/matomo-org/matomo/tree/4.x-dev/libs/bower_components The last update time is in YEARS. Years for a javascript library is a lot. If you don't like npm you can use yarn, but staying like that doesn't seem like a good idea.
Well, in 2020 you can be pretty sure that users that don't use Docker will have node/npm installed, so asking them to do
No! Why do that? This is what a politician would do! Only half-measure instead of eradicating the problem entirely! Use npm, then use webpack or parcel to bundle the dependencies into nice bundles (not git tracked!) and voilà ! I would strongly recommand to tackle this issue. I think we can all agree that vendored dependencies should not be kept in the repo. And having a package-lock.json (or yarn.lock) also allows github and other tools to scan for vulnerabilities in the versions. The change of name from piwik to matomo is a great opportunity to introduce such changes and improve dramatically the codebase. Anyway, I'm just giving my opinion on the matter and at the end of the day you do what you think is best. I wanted to maybe try and contribute to this project, but when I saw the Finally, my tone might seem harsh and I'm sorry if you read it like that, I'm just trying to participate to the discussion and improve this project! :) Cheers, |
|
@NicolasCARPi
This one I agree with you. In my opinion we should not be committing the files, but running npm in the build script of the matomo.zip just like we do with composer. Requiring all Matomo developers to have npm and node isn't really that much to require (and all php software projects already do it)
And here I totally disagree. I don't have any statistics to prove this, but I am very sure that at leat 90% of all Matomo instances run on servers without access to node/npm or even a php-cli. Because they are running on PHP shared hosters or other kind of servers without any access apart from FTP. And while I also would prefer if every Matomo user knew what a So we can't run any nodejs on the Matomo instance itself, but shipping libraries installed with npm in the matomo.zip should be possible. One thing that also makes things harder (especially considering webpack) is that every Matomo plugin can add custom JS and CSS (and even LESS overwriting variables) which makes using webpack as a build step for the matomo.zip hard.
I get this and to feel better I check that no library used has a reported security issue affecting Matomo.
This is another issue. There is a official Matomo for Wordpress plugin that "simply" ships Matomo inside a wordpress plugin. Unfortunately Wordpress is stuck in an even larger backwards compatibility loop which forces them to ship an ancient jquery version but changing this would mean breaking millions of websites and plugins, so they won't do it anytime soon. I don't have a solution for this as staying with an ancient version isn't really a solution and using a normal version means that the plugin can't be published. One last thing: In case you know an actual security issue that affects Matomo because of some outdated library, please contact us: https://matomo.org/security/ |
|
Thank you @Findus23 for your reply, I'm glad the work towards NPM has already started! :) Shipping an already complete .zip archive is indeed a viable solution for ease of use. ~Nico PS:
That doesn't make it invalid in my book ;) |
mattab
changed the title
(I think this issue is really low priority but quite important to do one day so I want to start a discussing)
In my opinion keeping all third-party-libraries checked into the main repository is a bad idea. It makes it hard to see which libraries are outdated and have bugs, which may be already fixed upstream, which LICENSEs belong to which files and which files aren't used any more (There are placeholder background images from the first visitor popup lying around in
/libs/jquery/images/)For PHP libraries Piwik is (mostly) using composer to solve this issue, so I'd propose to do the same with javascript (and css) libraries and npm.
While bower also helps, it doesn't support as many libraries and even the bower team recommends switching to npm.
Since version 5 npm also supports a lockfile similar to composer which would make sure that the CI and the built package would have the same version as tested while developing.
Another advantage would be that we would have a well formated list of used libraries and their licenses (compared to LEGALNOTICE), which may help avoiding incompatible licenses (e.g. version 3 of jQuery.dotdotdot)
see also #6469, #12021
The text was updated successfully, but these errors were encountered: