Add HTMX dependency to core

few comments on the MR

Code is good to go for me, we can RTBC once the security issue is managed. To be more accurate the status should be postponed since we're waiting on external third party for a reply :)

Crediting htmx maintainer for resolving the security policy issue

I confirmed the security policy was there as well.

I tried to follow the instructions to report a security issue, but the report a security vulnerability button was not there, I pinged @1cg on slack about it and he enabled the security reporting.

We should document this bit for future dependency evaluations so that it's easier to onboard projects.
It seems for github anyway there are two steps. Here is the documentation page on github: https://docs.github.com/en/code-security/security-advisories/working-wit...

After he configured it I confirmed that the button is now available and the security instructions are complete!

formatting change in the issue summary.

Also need release manager sign-off, which I don't see here.

I very reluctantly worked on the jQuery 4 port of jquery.form.js because it was one of the last blockers to releasing Drupal 11. While the AJAX system works, it has a lot of custom and long-unmaintained JavaScript behind it and is one of our heaviest jQuery dependencies. There has been no progress in modernising any of that js in the past 10-15 years.

The plan to introduce HTMX alongside the AJAX system as a new API means we can ensure feature parity and improve APIs, but without having to try to implement complex JavaScript or BC layers - instead running both side by side until we can fully deprecate and remove the AJAX system.

I very reluctantly worked on the jQuery 4 port of jquery.form.js because it was one of the last blockers to releasing Drupal 11. While the AJAX system works, it has a lot of custom and long-unmaintained JavaScript behind it and is one of our heaviest jQuery dependencies. There has been no progress in modernising any of that js in the past 10-15 years, instead we're left with a custom fork of an unmaintained GitHub repo.

The plan to introduce HTMX alongside the AJAX system as a new API means we can ensure feature parity and improve APIs, but without having to try to implement complex JavaScript or BC layers - instead running both side by side until we can fully deprecate and remove the AJAX system.

So from a release management point of view this will eventually be a large net reduction in our JavaScript dependencies and while there are details to figure out the transition plan is good.

I think this needs FEFM rather than FM review so switching the tags over.

+1 for this, validated that in #3404409-99: [Plan] Gradually replace Drupal's AJAX system with HTMX

Indeed, it is green now ✅ following @nod_ https://git.drupalcode.org/project/drupal/-/merge_requests/11928/diffs?c...

I will take care of this today.

Does this need a change record?

I would think both issues would get one.

Even if it's not strictly usable in this release it is a new dependency people should be notified that it will be installed.

Though I note #3352389: Add open-telemetry/sdk and open-telemetry/exporter-otlp as dev dependencies didn't have one.

I would think a simple one that said htmx is now a core dependency starting with htmx version xyz and a link to the github would suffice.

We didn't have a change notice to say a library was added (like sortable and such), only the issue when it's actually used has a change notice.

For now we don't want people to use it as-is, we need to integrate it to make sure things like security and performance are taken into account.

Yeah agreed with #37, we can add the CR when it's more meaningful, but retrospectively add this issue to it then for context.

Committed 216a91c and pushed to 11.x. Thanks!

Assigning to myself to sort out the documentation.

I made an entry for HTMX at Current JavaScript dependencies and completed it from the information in the issue summary. Update that entry as needed.

Locally when I run yarn vendor-update on 11.x I get some changes without changing anything in package.json or the lockfile:

1. assets/vendor/htmx.org is created, which is a copy of assets/vendor/htmx
2. htmx.debug is upgraded from 2.0.1 to 2.0.4

let's remove the debug extension, it's not used yet and there is a built-in way of doing the same thing (htmx.logAll())

as for the folder that's my bad, I removed the "folder" key and we needed it

Using the latest changes there are still no changes to the package file or the lock file.

This also still needs a release note.

The lock file is correct, latest version is 2.0.4: https://www.npmjs.com/package/htmx.org?activeTab=versions

The debug extension is in the package because of how they used to do things: https://github.com/bigskysoftware/htmx/blob/master/dist/ext/README.md

@nod_ I think we also need to delete assets/vendor/htmx/debug.js from the repo?

After applying the patch:

$ cd core
$ rm -rf assets/vendor/htmx
$ yarn vendor-update
...
$ git status
On branch 11.x
Your branch is up-to-date with 'origin/11.x'.

Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	deleted:    assets/vendor/htmx/debug.js
	modified:   core.libraries.yml
	modified:   scripts/js/vendor-update.js

Maybe vendor-update should delete the target directory first, to handle deleted files?

that's a good idea, follow-up though

Committed 042eb55 and pushed to 11.x. Thanks!

maybe change record could be added here? that's very helpful

@andypost see #34-39