Set up a formal process for ensuring JavaScript dependencies remain up to date

Created on 13 May 2022, almost 3 years ago

Updated 8 February 2023, about 2 years ago

Problem/Motivation

At the moment, the process for keeping JavaScript dependencies up to date is informal and dependent on individual contributors ensuring that updates have been applied on time. Ideally we would have processes in place for getting notified of security vulnerabilities in the dependency tree, and a step to make sure that dependencies get updated prior to every release to make (patch, minor and major). This would make sure that if an individual contributor is not available, the team would still be responsible for ensuring that updates have been applied on time.

For context, the total dependency tree at the moment is over 3000 packages meaning that updates are happening at a high frequency. Preparing to a new release should likely include multiple check points where lates updates get applied.

Proposed resolution

There are 2 topics, security warnings and automated dependency MR creation.

Security monitoring

This is fairly easy, a simple gitlabci file such as https://git.drupalcode.org/project/drupal_core_gitlabci_test/-/blob/10.0... will monitor the (JS & PHP) dependencies for security updates and integrates with the gitlab UI : https://git.drupalcode.org/project/drupal_core_gitlabci_test/-/security/.... We can schedule a daily scan for this and I'm sure there are gitlab settings for sending emails or such when a new issues is picked up.

Automated update MR

The principle for the various tools that exist is to make one PR for each package update. The only groupings that would make sense for us are doing all CKEditor 5 packages updates (execpt the @ckeditor/ckeditor5-dev-utils) in the same MR and @bable/core and @babel/preset-env in the same MR since they're released in sync. All other dependencies should have their own MR.

First step is to detect packages updates, this can be done by dependabot or renovate.

For an exemple of what renovate does on github see: renovate update for glob: https://github.com/theodoreb/drupal/pull/8 notice the links for the changelogs.
For dependabot see https://github.com/theodoreb/drupal/pull/6 they also have a compatibility score for some updates that can tell us if the update usually breaks other repo using that dependency.

This should be run on all supported branches. One package update in 3 branches would create 3 different merge requests.

Once we know what there is to update we need to

create a d.o issue (template TBD)
add all relevant core committers as followers of the issue
create the issue fork
create a new branch dep-update-XXX (with XXX the name of the dependency to update)
commit the result of dependabot/renovate to this branch

create a new branch git checkout -b dep-update-drupal-XXX dep-update-XXX
run yarn
run yarn build
Depending on the updated package(s) run different commands:
- if package is used in vendor-update run yarn vendor-update
- if package is part of CKEditor 5 run yarn run build:ckeditor5-types (yarn build:ckeditor5 is already run by yarn build above
- if package is cspell run yarn spellcheck:make-drupal-dict
commit the code to the branch
create the merge request against the appropriate core branch
set the issue as Need Review so that testbot is run against the new code (triggering the various linting scripts and build checks)

When the update package is CKEditor 5 or webpack* in the dep-update-cke5 branch run the following commands:

1. create a new (ckeditor5-build) branch from the core branch
2. run yarn
3. run yarn build:ckeditor5-dev
4. commit the result
1. create a new branch using the updated deps git checkout -b review-ckeditor5-build dep-update-XXX
2. run yarn
3. run yarn build:ckeditor5-dev
4. commit the result
Create a DRAFT merge request from review-ckeditor5-build to ckeditor5-build to review the unminified changes (so that CI doesn't run for this MR)

The various steps involves creating 4 branches max:

dep-update-XXX
dep-update-drupal-XXX
ckeditor5-build
review-ckeditor5-build

And 2 merge requests:

from dep-update-drupal-XXX to core branch (the MR to commit)
a DRAFT MR from review-ckeditor5-build to ckeditor5-build for review

Remaining tasks

Agree on the proposal

Release notes snippet

🌱 Plan

Status

Needs review

Version

10.0 ✨

Component

Javascript →

Last updated 1 day ago

Maintained by
🇬🇧United Kingdom @justafish
🇫🇷France @nod_

Created by

🇫🇮Finland lauriii Finland

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 2 years ago →
🇺🇸United States smustgrave
This seems more like a plan.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024