algolia/places is no longer open source and maybe affacted by the polyfill backdoor

Perhaps we should start by adding a warning, recommending that people uninstall it and announce that it will be removed in the future.

#3247475: [Drupal 9.x] Location field update required: Algolia Places sunsetting May 31, 2022 →

Let's add a warning.

We could also create a webform_deprecated project namespace and gradually move deprecated webform modules into that namespace.

Some modules have in their info files package: 'Webform [DEPRECATED]'. Some, but not all, of these also have lifecycle: deprecated. It seems to me that if they have one, they should have the other.

Yes, we should add 'lifecycle: deprecated' to any module categorized as 'Webform [DEPRECATED]'

Done

if you use composer for the libraries install per https://www.drupal.org/docs/8/modules/webform/webform-frequently-asked-q... → :

"merge-plugin": {
	"include": [
		"modules/contrib/webform/composer.libraries.json"
	]
}

It installs the algolia/places library regardless.

+1 to #10. Yes, this is what happens. Same with choices/choices, which is also affected.

Hello,
I wonder if there is a way to remove the dependency to algoglia/places in

webform > composer.librarires.json

and any other reference that points to algolia/places.

Instead of including all of composer.librarires.json, you can add just the ones you actually use to your own composer.json.

thanks for your suggestion.

I'm not sure if I understand you correctly.
Here is the list of the required libraries by "Modules > contrib > webform" listed in the 'compose.librarires.json'

    "require": {
        "algolia/places": "*",
        "choices/choices": "*",
        "codemirror/codemirror": "*",
        "jquery/chosen": "*",
        "jquery/geocomplete": "*",
        "jquery/hotkeys": "*",
        "jquery/icheck": "*",
        "jquery/image-picker": "*",
        "jquery/inputmask": "*",
        "jquery/intl-tel-input": "*",
        "jquery/rateit": "*",
        "jquery/select2": "*",
        "jquery/textcounter": "*",
        "jquery/timepicker": "*",
        "jquery/toggles": "*",
        "popperjs/popperjs": "*",
        "progress-tracker/progress-tracker": "*",
        "signature_pad/signature_pad": "*",
        "svg-pan-zoom/svg-pan-zoom": "*",
        "tabby/tabby": "*",
        "tippyjs/tippyjs": "*"
    },

    "repositories": {
        "algolia.places": {
            "type": "package",
            "package": {
                "name": "algolia/places",
                "version": "1.19.0",
                "type": "drupal-library",
                "extra": {
                    "installer-name": "algolia.places"
                },
                "dist": {
                    "url": "https://registry.npmjs.org/places.js/-/places.js-1.19.0.tgz",
                    "type": "tar"
                },
                "license": "MIT"
            }
        },

Those entries are part of the webform module.

So, do I need to remove those entries -by applying a patch.

Also, how can I know what libraries the 'webform' module needs, so I do not remove the ones that are actually needed by this module?

Oh,
I think I got it.
Just need to uninstall it either through the web interface (/admin/modules/uninstall) or command line
Webform Algolia Places

@La558 You don't quite understand. In order to use those Webform sub-modules, you need to require the libraries. For example, in your composer.json:

    "require": {
        "wikimedia/composer-merge-plugin": "^2.0"
    },
    "extra": {
        "merge-plugin": {
            "include": [
                "web/modules/contrib/webform/composer.libraries.json"
            ]
        },

You would remove this, and explicitly require the libraries you need instead.

@solideogloria
fantastic!
Thank you for clarifying!

Sorry, but I don't quite understand.
Is there a replacement for algolia/places, i.e. can I use webform_location_places without using algolia/places?
I'm not sure but briefly looking at the code it seems webform_location_places requires algolia/places.

I'd like to keep using webform/composer.libraries.json (to easily get library update when updating webform) - so maybe we should offer a patch to webform/composer.libraries.json?
Also a clean status page gives me a warm feeling.

Or am I getting something wrong?

Thanx for any explanations.

Is it possible to move deprecated libraries in another composer.json in order to have a clean one (and an optional another for those who whant to keep these modules) ?

Instead of including composer.libraries.json, you can add just the modules you want to your own composer.json.

i know and understand i can manage dependencies by myself (i think will do it to avoid unwanted dependencies like this one) , but the idea is to provide in webform codebase a clean updated list of dependent libraries in composer.libraries.json without deprecated which can be in case putted in another json like for example a new composer.deprecated-libraries.json.
Why continue to provide in main composer.libraries.json libraries with safety risk for deprecated submodules ?

One solution for deprecated sub-modules is to move all of them to a webform_deprecated project, which can be the graveyard for deprecated sub-modules.

I didn't see it before, /admin/structure/webform/config/libraries suggest

generate a custom file using: drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.json.

Maybe it can be good to edit https://www.drupal.org/node/3003140 → to suggest this option.

@see 📌 Deprecate the use of drgullin/icheck Active