- Issue created by @fernly
- Status changed to Needs review
12 months ago 9:23am 8 December 2023 - last update
12 months ago 18 pass - Status changed to Closed: works as designed
12 months ago 12:52pm 8 December 2023 - 🇮🇩Indonesia gausarts
I understand it is _very_ useful, so thank you.
I also understand I would have consequences I couldn't afford if I put this in, so sorry.
Unless somebody is willing to pay me for the maintenance works, of course. Until then, I can only give what I can afford.
I can assure you I know what I am talking about :)
Similar reasons to Slick's, few objections are:
- Security. If you had worked with Slick since v1, 2014, you'll know what it is. I don't want to chase updating versions when having such an issue. Even if you guaranteed safe. I don't want to update modules just because I have to update library minor versions due to some newly found security issues in the codes that I didn't even touch. Even if it is a dependency, it is a totally separate entity.
- IMHO, managing libraries should be centralized at root composer.json, and known to the persons installing Drupal. Two good reasons: I prefer Slick v1.6 than newer ones. I don't want modules, not even my own, to install libraries without my consents. Again, security-wise. Some security holes were found from just downloading libraries as they are. SVG library security issue is morebthan convincing. Dragging modules down due to third party mistakes are not good for modules' health. Worse when you have less time to be responsible for third party mistakes.
At any rate aka not totally off-handed, relevant docs are provided in this module accordingly, whether using composer, or npm.
More details are in Blazy's docs under Composer as referenced in this module.
I intentionally replied in length so I can reference it since this issue repeats.
I hope you understand my wordings very well :)