Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Update as many dependencies before shipping Drupal 10.
Steps to reproduce
yarn outdated
Proposed resolution
Major
Package | Current | Latest | Issue |
---|---|---|---|
chromedriver | 98.0.1 | 107.0.1 | #3317879: Remove Chromedriver as a JavaScript dependency |
stylelint-config-standard | 28.0.0 | 29.0.0 | #3317882: Update to stylelint 14.14.1 and stylelint-config-standard 29.0.0 |
Minor
Package | Current | Latest | Issue |
---|---|---|---|
cspell | 6.8.1 | 6.14.0 | #3319158: Update CSpell to 6.14.0 |
eslint | 8.23.0 | 8.27.0 | #3319819: Update eslint to 8.27 |
nightwatch | 2.1.4 | 2.4.1 | #3306446: Update Nightwatch to 2.4.1 |
stylelint | 14.11.0 | 14.14.0 | #3317882: Update to stylelint 14.14.1 and stylelint-config-standard 29.0.0 |
Patch
Package | Current | Latest | Issue |
---|---|---|---|
postcss | 8.4.16 | 8.4.18 | #3317887: Update PostCSS, postcss-header, and postcss-preset-env |
postcss-preset-env | 7.8.1 | 7.8.2 | #3317887: Update PostCSS, postcss-header, and postcss-preset-env |
Remaining tasks
.
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#51 | 3258933-51.patch | 46.89 KB | longwave |
Comments
Comment #2
alexpottComment #3
alexpottRunning
yarn upgrade
to do all the semver allowed upgrades results in:The error results in our commit checks not running. This will be resolved by the next release of terser.
Comment #4
alexpottSee https://github.com/terser/terser/commit/05b23eeb682d732484ad51b19bf52825...
Comment #5
xjmI filed #3262573: Update our yarn dev dependencies to the extent allowed by current constraints which covers the first step of the scope here and fixes two of the three "high" severity vulns from 10.0.x through 9.3.x as allowed under the current constraints. Maybe worth postponing this issue on that going into the respective branches?
Comment #6
xjm@lauriii and I discussed what to do next after #3262573: Update our yarn dev dependencies to the extent allowed by current constraints, and he suggested it would be best to handle some of the dependencies individually, particularly where there are security updates that require changing constraints. He will file issues for those.
Comment #7
xjmAlso see #3238507: Drupal 10 JavaScript dependency plan.
Comment #8
lauriiiAdded child issues to the issue summary and made this a meta issue.
On top of that, to get empty
yarn audit
output, CKEditor 5 team will have to resolve https://github.com/ckeditor/ckeditor5-dev/pull/695.Comment #9
lauriii#3262573: Update our yarn dev dependencies to the extent allowed by current constraints has been committed.
Comment #10
xjmTechnically beta1 is the deadline here, although it would be good to get the major updates especially in sooner.
Comment #11
xjmWell, let's just say this.
Comment #12
lauriiiMoved issues that are not required for cleaning
yarn audit
to #3238507: Drupal 10 JavaScript dependency plan.Comment #13
xjmComment #14
xjmComment #15
Charles BelovFor accessibility, please spell out acronyms on first use.
Comment #16
lauriiiComment #17
lauriiiComment #18
lauriiiComment #19
SpokjeComment #20
SpokjeComment #21
SpokjeComment #22
SpokjeComment #23
SpokjeComment #24
SpokjeComment #25
SpokjeComment #26
SpokjeComment #27
lauriiiComment #28
lauriiiComment #29
lauriiiWe may want to wait until https://github.com/shipshapecode/shepherd/pull/2037 has landed before we update Shepherd.js.
Comment #30
nod_Let's not wait. I have no idea when it'll make it and the change to 10.0 doesn't impact us so it's safe to update
Comment #31
lauriiiThanks @nod_! Opened an issue for that.
Comment #32
lauriiiComment #33
lauriiiComment #34
bnjmnmComment #35
longwaveUpdated IS with the current state of things.
Comment #36
longwaveComment #37
Gábor HojtsyComment #38
longwaveComment #39
longwaveI tried to upgrade ESLint but there is something wrong with my local setup,
yarn lint:core-js-passing
never finishes even if I leave it for 30 mins or more.Comment #40
nod_maybe we should group all the easy ones into one patch so that we don't have to reroll all the time because of yarn.lock conflicts?
Comment #41
effulgentsia CreditAttribution: effulgentsia at Acquia commentedRe #39, upgrading ESLint worked fine on my machine, and after doing so,
yarn lint:core-js-passing
completed in less than a minute. I opened #3319819: Update eslint to 8.27 with the resulting patch. Currently, that's the last minor-level one. Following that, here's what's left as of today; these are all patch-level:yarn outdated
:Comment #42
nod_added #3319917: Remove raw-loader dependency so that we have a clean
yarn audit
.Comment #43
effulgentsia CreditAttribution: effulgentsia at Acquia commented#3317887: Update PostCSS, postcss-header, and postcss-preset-env landed in 10.0.x, which is the last of the current child issues. However,
yarn outdated
now shows:I'd suggest opening two new child issues: one for webpack, since that's a minor version update, and one for the other 3, which are all patch-level, unless folks want to suggest a different approach.
Also, what's the best way to find out if we're up-to-date on all our other JS dependencies (the ones not managed by yarn)?
Comment #44
lauriiiI think we could open one issue for all of the remaining ones. The webpack minor update should be straight forward, but if turns out it isn't, it could be split to its own issue.
Do we have any JavaScript dependencies not maintained in yarn? I think all of the dependencies are managed by yarn since #3219088: Use package.json to manage third party JS libraries.
Comment #45
andypostAfter migrating CI to Gitlab core could use https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
Comment #46
longwaveSomeone already opened #3320370: Update to tabbable v6.0.1 to fix bug with scoped headers
Comment #47
andypostFiled
- #3320515: Update cspell and nightwatch
- #3320518: Update webpack
Comment #48
longwaveRemoving rc blocker tag and adding stable release blocker, we should do another round of minor/patch level updates before release, but there is little point chasing any more releases before rc1.
Comment #49
effulgentsia CreditAttribution: effulgentsia at Acquia commentedAs of today,
yarn outdated
shows the following:In particular,
shepherd.js
andwebpack-cli
have new major releases, so I think we should open either one or two child issues to upgrade those. If it's easier, maybe we should upgrade all of the above in one issue/patch?Comment #50
longwaveshepherd.js
has a big breaking change: the underlying library has moved frompopperjs
tofloating-ui
; not sure if this is too big a change for us to make now we are in release candidate or not?The others (including
webpack-cli
, given that the break is removing support for Webpack 4 and we are already on v5) can likely be done in a single issue.Comment #51
longwaveThis patch updates everything except shepherd.js. I ran
yarn build
,yarn lint:css
andyarn lint:core-js-passing
and there were no changes and no errors.Comment #52
SpokjeEither we were very unlucky or the
nightwatch
update is breaking all but one nighwatch tests by not being able to connect to the selenium server.Ordered a retest to be sure what's going on.
Comment #53
SpokjeSame fails in Nightwatch tests.
This seems the likely culprit to me:
Maybe we should split off the Nightwatch update into a separate child issue and get the other ones in whilst we investigate?
Comment #54
mstrelan CreditAttribution: mstrelan at PreviousNext commentedPossibly related, see https://github.com/SeleniumHQ/docker-selenium/issues/1723. This caused FunctionalJavascript tests to fail for me and at least a handful of others. Also affects Drupal Test Traits. Pinning to selenium/standalone-chrome:4.5.2 resolved the issue. I suspect it's the same issue here.
Comment #55
SpokjeOpened child issue #3323834: (Try to) update Sheperd.js to latest major version
Comment #56
SpokjeOpened child issue: #3323944: Update JavaScript dependencies for Drupal 10, except Shepherd.js and Nightwatch
Also, put this issue back to Active since there's no valid patch/MR to review any more (and this is a [META]).
Comment #57
SpokjeOpened child issue #3323988: Update Nightwatch from 2.4.2 to 2.6.19
Comment #58
effulgentsia CreditAttribution: effulgentsia at Acquia commentedAs of today,
yarn outdated
on 10.0.x outputs:For nightwatch and shepherd.js, I tagged #3323988: Update Nightwatch from 2.4.2 to 2.6.19 and #3323834: (Try to) update Sheperd.js to latest major version themselves as stable release blockers.
It might be nice to get postcss-import updated prior to tagging 10.0.0-rc2, though probably not a big deal if we don't. Either way, we'll still need to check again just prior to the 10.0.0 release.
Comment #59
SpokjeWell, it has to go in anyway, so let's do it now, so RC2 is as up to date as possible: #3324927: Update to the latest postcss-import version (15.0.1)
Comment #60
SpokjeI know this is an endless chase, but let's try to get RC2 (is that even an official thing yet?) out as up-to-date as possible, and do a final(?) update round on Monday Dec. 12 to get the 10.0.0 release up-to date.
#3325114: Update to the latest cspell, eslint, postcss-import, stylelint. terser and webpack-cli version
Comment #61
effulgentsia CreditAttribution: effulgentsia at Acquia commentedAs of today,
yarn outdated
outputs:Upgrading the major version of Shepherd was postponed to Drupal 11 per #3323834-15: (Try to) update Sheperd.js to latest major version.
Upgrading the minor version of Nightwatch is likely postponed to Drupal 10.1 per #3323988-12: Update Nightwatch from 2.4.2 to 2.6.19, considering we don't yet know how to make the new version work on DrupalCI.
If there was a compelling need to update
eslint-plugin-yml
,postcss-import
, orprettier
before releasing 10.0.0, we potentially could do those, but if there isn't a compelling need (I'm not aware of one), then I think we're better off not making any further changes to our dependencies in the 10.0.x branch in preparation for a stable release. Therefore, marking this issue Fixed, and let's open a new one for 10.1 when there's a benefit to updating the JS dependencies in that branch.Comment #62
xjmSaving credits for contributors who helped keep this plan up to date.