Problem/Motivation
jQueryUI has reached end of life so it is being deprecated for removal in Drupal. The drupal.tabbingmanager library depends on jqueryUI.
Proposed resolution
According to the comment in core.libraries.yml, jquery ui is only needed because it # Supplies the ':tabbable' pseudo selector.
Replace tabbingmanager's use of jQueryUI with the https://github.com/focus-trap/tabbable library, and add a shim so jQuery's use of the :tabbable selector uses this library. Tabbable is the only active library that provides the functionality needed.
Dependency eveluation for focus-trap/tabbable
Maintainership of the package
After about a year with little activity, https://github.com/stefcameron took over as maintainer, and it looks like it is in good hands. He has been very active responding to issues and keeping dependencies current. Tabbable is also a dependency of another library with the same maintainer https://github.com/focus-trap/focus-trap (something that could potentially replace tabbingmananger as a no-jquery equivalent).
Security policies of the package
No policy is currently posted, but I inquired about the policy and received an answer: https://github.com/focus-trap/tabbable/issues/136. Based on the response, it's possible that a policy will be posted soon after I type this, but I was satisfied with the content of the response. While it's unlikely a security release would receive a backport to earlier versions, the nature of the library means its unlikely for such vulnerabilities to occur. Were a backport absolutely necessary for Drupal, Tabbable's codebase is straightforward enough that it could be performed in a dedicated fork which wouldn't be ideal but is also: 1) unlikely 2) still less effort than an entirely custom solution.
Here's the maintainer's response"
I'm also maintaining focus-trap and focus-trap-react (all in the same org/family), so the only thing I can support is the currently released version. If there's a security issue in that version, then I'll certainly fix it by publishing a new version that addresses the vulnerability, but I will not support any previous versions. So if I eventually publish 6.0.0 and a security issue is found in 5.1.3, for example, and it's still in 6.0.0, then I will fix it in 6.0.1 or 6.1.0 (or possibly 7.0.0 if it requires breaking backward compatibility for some reason -- I would imagine this would be rare), but I will not also publish 5.1.4 or 5.2.1 to fix it.
I guess there could be a scenario where I'm in a pre-release on a new major and a security issue is discovered in the current 5.1.3 release. In that case, I'd try to fix it in the current non-pre-release, and bring that forward into the pre-release, but that's as far back as I would go (though I don't consider that going back because the latest release isn't a "full" release, it's still in pre-release stage, so I don't expect everyone to want to adopt a pre-release to get security fix).
Expected release and support cycles
No official schedule, but updated frequently to address issues or update dependencies. This is the full response from the maintainer regarding this:
This happens whenever there's something new to publish, regardless of the Semver bump. So far, that's only patches and minors. I did do a major when I took over, but I did that out of an abundance of caution because the project had stagnated for an entire year and I bumped all the dependencies and refactored the build, etc., when I took over. So I wanted to send a clear message there, that upgrading might cause issues.
But now, I haven't come across anything in this library that would warrant a major bump. If I did, I guess that would be a complete change to the API, or something like no longer recognizing a node as tabbable which was previously recognized as tabbable (for example). I don't think I would have a big release plan for that, though, given the size of the library. I would probably leverage a pre-release version, like 6.0.0-alpha.1, to test the waters in the community until it stabilizes, and then publish 6.0.0.
Code quality
The code itself is very concise and significantly more readable than some of the other libraries Drupal uses https://raw.githubusercontent.com/focus-trap/tabbable/v5.1.3/src/index.js. The variables and functions are well named and it is nicely formatted without readabily-compromising shortcuts. Even without docblocks/comments it's very clear what the code is doing.
The test coverage seems quite good: https://github.com/focus-trap/tabbable/tree/v5.1.3/test
Dependency Evaluation for CSS.escape
Maintainership of the package
Maintained by https://github.com/mathiasbynens. He acknowledges this is a spare-time hobby project, but the handful of issues reported have been addressed quickly. It's the sort of polyfill that doesn't require much attention, so there's not much activity in general on the repo. This low-activity (including issues filed) contrasted against the 3 million NPM downloads per week suggests it is quite stable + there's a community interested in in continuing to work well. Also worth mentioning the maintainer replied to my security questions within hours.
Security policies of the package
No official policy is posted. The maintainer's response to security questions can be found here: https://github.com/mathiasbynens/CSS.escape/issues/15. I believe this is sufficient particularly since the functionality of this library isn't one that could introduce many vulnerabilities.
Expected release and support cycles
As-needed and rarely (if ever) needed.
Code quality
106 concise, readable lines with good comments.
Remaining tasks
Confirm that tabbingmanager only needs jquery.ui for ':tabbable' confirmed
Confirm there are existing tests that would fail if tabbingmanager didn't use jQueryUI -- if not, these should be added.Confirmed. Without jQueryUI several tests fail due to :tabbable
not being a valid selector
Find an alternative solution - ideally this could leverage an existing library instead of something custom to Drupal. Found https://github.com/focus-trap/tabbable
Implement the solution.
User interface changes
API changes
Data model changes
Release notes snippet
The tabbable library has been added to replace the functionality provided by for jQuery UI's:tabbable selector. A shim has been provided so all existing of uses of the :tabbable
selector now use tabbable to query tabbable elements.
Comment | File | Size | Author |
---|---|---|---|
#84 | interdiff_68-84.txt | 5.64 KB | bnjmnm |
#84 | 3113649-84.patch | 79.73 KB | bnjmnm |
#75 | Cu7tbBd - Imgur.png | 126.19 KB | ilgnerfagundes |
#68 | interdiff_66-68.txt | 679 bytes | bnjmnm |
#68 | 3113649-68.patch | 81.53 KB | bnjmnm |
Comments
Comment #2
bnjmnmTabbable looks to be the best option. Not only does it seem to do its job well, but it's also the only option I could find that has had activity in the past 2 years.
In order to use tabbable, however, it would be necessary to create a UMD build. The version in development on master has introduced multiple builds, but currently there are only esm and cjs options. This is fairly easy to remedy, so I created a PR
https://github.com/davidtheclark/tabbable/pull/51
Maintainers look to be active so I'm hoping I will soon find out if there's willingness to include the umd build.
This patch uses the UMD build generated by the branch that I issued the pull request with.
Comment #3
xjmToo late to do this in 9.0.x now, so moving to 9.1.x. Thanks!
Comment #4
nod_"Confirm that tabbingmanager only needs jquery.ui for ':tabbable'" I can confirm that :)
The library looks good, but as you can see the maintainer proposed you the maintainership :p
Comment #5
catchComment #6
catchComment #7
bnjmnmMy PR was committed and as of v5 was Tabbable supports UMD builds, so the library can again be considered.
https://github.com/focus-trap/tabbable/pull/51
Comment #8
bnjmnmThis adds tabbable 5.1.0 and removes all usage of jQueryUI tabbable. A shim was added so jQuery can continue to use the :tabbable pseudo selector.
It seems like existing test coverage makes use of :tabbable in several tests (in fact, several failed while I was working on this). It's not yet clear to me if additional test coverage is even needed, but that can certainly be arranged.
Comment #10
lauriiiLet's update this to the latest version
We should link to the license itself usign raw.githubusercontent.com.
Did you have to build the library manually? If you did, let's add documentation that documents exact steps that need to be taken.
Shouldn't this be marked as deprecated?
Comment #11
bnjmnmThis adds tests and addresses #101-3
Regarding #10.4, My preference is to not mark the use of
:tabbable
as deprecated as part of this issue, as the shim is not tied to jQueryUI at all, just jQuery. There are several other jQuery-specific pseudos like:visible
,:disabled
, etc. that will need to be deprecated as part of the jQuery removal efforts. I think deprecating:tabbable
may work better if it is done at the same time as the other jQuery selectors. I've also seen anecdotal evidence that some people assume:tabbable
is part of jQuery and not jQueryUI anyway.Totally fine if that reasoning doesn't convince and the deprecation should happen. If it gets deprecated we'd either need to add the deprecation message to
\Drupal\Tests\Listeners\DeprecationListenerTrait::getSkippedDeprecations
or refactor some tests that still use:tabbable
. Both options are reasonably straightforward to implement.Comment #12
nod_I'd call that one
tabbable.jquery
, not sure I'd keep "shim", in any case by itself it's not very descriptive.The tests are only for the shim right? might be better to specify it
can probably call that one
tabbable.jquery.es6.js
, like you said it's not tied to jQueryUIWorks well, behaves as expected on IE11. We save a few KB of JS on most pages not having to load base jquery ui
Comment #13
ayushmishra206 CreditAttribution: ayushmishra206 at OpenSense Labs commentedMade the changes suggested in #12. Please review
Comment #14
nod_The shim file is missing file, and library names need to be changed everywhere.
Comment #15
lauriii:tabbable
so we should open issue for removing those and deprecating the shim.Nit: jQuery UI :tabbable selector. This is not specific to jQuery UI but this is a BC layer for the jQuery UI feature.
Nit: s/jQueryUI/jQuery UI
Comment #16
bnjmnmBuilt this from #11
Addresses #11 and #15 and keeping the "shim" in the filename/library to match the jQuery cookie shim - but adding jquery or changing jqueryui to jquery where applicable.
Comment #17
bnjmnmCreated followup #3179734: Refactor uses of the :tabbable selector and deprecate it
Comment #18
nod_Ok with me.
Comment #19
lauriiiSince we are adding a new library, we should do a dependency evaluation.
Comment #20
nod_version 5.1.3 went out last week too: https://github.com/focus-trap/tabbable/releases/tag/v5.1.3
Comment #21
bnjmnmUpdated to 5.1.3. This required a small change to the shim & test as well.
Dependency evaluation on the way, I just filed https://github.com/focus-trap/tabbable/issues/136 to get information regarding security policies and will provide the evaluation after we get a response.
Comment #22
bnjmnm#21 has some accidental junk in it. Ignore that patch and work from this one
Comment #23
bnjmnmAdded dependency evaluation.
Comment #24
lauriiiThe dependency evaluation looks good ✨
Nit: s/jQueryUI/jQuery UI
Comment #25
bnjmnmMy no-space jQueryUI/jQuery UI habit strikes again...
Comment #26
nod_Looking good, still works on dialogs and all :)
Comment #27
xjmI posted an additional question to https://github.com/focus-trap/tabbable/issues/136#issuecomment-722612968 since part of what we want to ensure is safe/coordinated disclosure for our production dependencies. I didn't add the usual question about whether they would notify us of an upcoming release because in the JavaScript ecosystem that's sort of like asking for unicorns.
Comment #28
catch#27 was answered here: https://github.com/focus-trap/tabbable/issues/136#issuecomment-723484998
This all seems pretty good to me - main thing is the maintainer is responsive and friendly.
Comment #29
xjmAgreed; +1.
Comment #30
alexpottIs there a reason why we're not adding a build step into package.json? - like we've got for jqueryui.
Are we concerned that other contrib / custom JS is going to have to do the same thing? Or to ask this question the other way around do we always need to load the shim if we load the new tabbable library.
I guess not because if something is relying on jquery's tabbable then they would be depending on jquery.ui and that loads the shim.
Setting to needs review for point 1. I'd address 3 on commit if point 1 turns out to be moot.
Comment #31
nod_for 1. we don't need to launch a build step ourselves. When doing a
yarn add tabbable
, thenode_modules/tabbable/dist/
folder will hold all the files we need (index.umd.min.js
andindex.umd.min.js.map
).We got to change the way we manage js dependencies because it's hard to keep them up to date. If I'd change anything I'd remove the readme because I don't think we should be building the lib ourselves for this one, broader topic though #2658650: [META] Optimize Frontend Workflow in Core Development, #2873160: Implement core management of 3rd-party FE libraries
Comment #32
bnjmnm#30.1
build:jqueryui
in package.json runs Drupal-specific steps to create a custom build.Tabbable can be built with the defaults so there's no need to have a build step in core. The readme (requested in #10) is largely there to confirm that the file used in core is created via a standard
yarn install; yarn build;
, as the repo does not contain the built files.Comment #33
bnjmnmNeeded a reroll and this takes care of #30 as well.
Comment #34
zrpnrThe sniffer errors pointed out in #30.3 were addressed in #33, and the reroll cleanly applies to latest 9.2.x. Looks like this is good to be back at RTBC.
Comment #36
bnjmnmThis got kicked back to needs work due to a test fail in #33, but this was an unrelated test known to intermittently fail. Moving back to the RTBC set in #34 (not a review of my own work 🙂)
Comment #37
lauriiiI think this looks great except there's a new release of tabbable. Feel free to move this back to RTBC after updating to the latest version of the library.
Comment #38
ayushmishra206 CreditAttribution: ayushmishra206 at OpenSense Labs commentedMade the update suggested in #37. Please review and RTBC.
Comment #39
ayushmishra206 CreditAttribution: ayushmishra206 at OpenSense Labs commentedPrevious patch didnt have the changes for some reason. Here's the update.
Comment #40
lauriiiWe also have to update the library using the instructions in the tabbable README which can be found in the patch.
Comment #41
bnjmnmComment #42
lauriiiI think we still need a change record. We should at least mention that there's now a new library that can be used for checking whether an element is tabbable or not.
Comment #43
bnjmnmChange record and release notes snippet added.
Comment #44
alexpottNeeds a reroll because #3113400: Deprecate more jQuery UI library definitions landed.
Comment #45
bnjmnmA bit more than a reroll was required due to how #3113400: Deprecate more jQuery UI library definitions changes library definitions, so setting this to Needs Review instead of RTBC.
Comment #46
lauriiiShould we remove jQuery UI tabbable files from core as part of the patch since we don't have any references to it anymore after this patch?
Comment #47
bnjmnmRe #46
This crossed my mind and this was the path I took to deciding against (and it's possible this is flawed)
@nod_ mentioned in Drupal slack that he felt similarly.
Comment #48
catchfwiw I agree with leaving it in. In the event that someone is using it directly somehow, it's better for them to find out when they port to Drupal 10 than a random minor release, plus all the points in #47.
Comment #49
lauriiiI don't have strong opinion to either direction but I thought it would make sense to remove the file since that's the process we followed in #2550717: [JS] Replace jQuery.cookie with JS-cookie and provide a BC layer too. In my opinion, it would be fine to draw a line that a specific file is not an API but a library is.
We also removed jQuery UI components in #3087685: Remove deprecated jQuery UI components and fork remaining source code into core without having tests or rolling a new release, so if we wanted to do so here, we probably could.
Comment #50
xjmComment #51
xjm@lauriii #3087685: Remove deprecated jQuery UI components and fork remaining source code into core was only committed to 9.0.x and #2550717: [JS] Replace jQuery.cookie with JS-cookie and provide a BC layer provided a BC layer. I agree with @catch that we should leave the file in place in a minor release (but indicate that it's deprecated) and only remove it in 10.0.x.
Comment #52
lauriiiWhat would we do if there was a security vulnerability in code in jQuery UI components that are not being used by core anymore? If we assume people could be using it, shouldn't we also provide security coverage for it? How are we planning to handle testing those components that are not used by core? All very hypothetical at this point, especially with the tabbingmanager but if we set the precedent in this issue, there could be other jQuery components that are riskier.
The patch in this issue provides BC layer similar to #2550717: [JS] Replace jQuery.cookie with JS-cookie and provide a BC layer so I believe they are comparable. Only difference is that this patch requires making some modifications to jQuery UI code.
Comment #53
bnjmnm#52 is a pretty convincing reason to remove the file so here's that change.
Providing a patch, but be aware that it won't Custom Commands tests until #3189547: Custom Commands indent: command not found on patches with nightwatch changes is resolved. Until that issue is fixed, any patch that includes changes to nightwatch tests will fail due to a command in commit-code-check.sh that only runs with Nightwatch changes, and isn't available in the container running the tests.
Comment #55
xjmComment #56
lauriiiSeems like there's still reference to tabbable from jQuery UI dialog widget which probably should be removed. That also raised a question; should we introduce intergration tests to jQuery UI widgets that are using shims? That could be useful if we ever have to make changes to the shim.
Comment #57
bnjmnm#56
Are you referring to the
_focusTabbable:
function in dialog.js? If it's that, it's something being addressed in the followup #3179734: Refactor uses of the :tabbable selector and deprecate it (the most recent patch overrides it, but another patch could remove the original too).Or perhaps it's referring to the
define()
calls in the AMD section which I admittedly ignore since it isn't really called.Wherever it happens to be, happy to address in the most suitable issue.
At first glance this seems excessive since the nightwatch tests added are already testing every possible use of the :tabbable selector that I can think of, I can't think of how the integration tests would cover anything that isn't indirectly covered already, but I may be missing something obvious.
Comment #58
lauriiiI don't have strong concerns on leaving the references in AMD definition but I thought it would be consistent with what we have done so far, and would leave the files in a bit cleaner state. I pinged @nod_ to see what he thinks.
We do have extensive unit tests for the shim. Regardless of that, it is useful to have some integration tests to ensure that the integration between different units works. The test could be very minimal, just proving that the integration between the shim and jQuery UI works.
Comment #59
bnjmnmRe #58
All but one item in the "focus tabbable" tests
step7()
, could be translated to Nightwatch without much fuss, so those 6 tests were added.Comment #60
bnjmnmNeeded to fix a few PHPCS issues to get custom commands to pass.
Comment #61
bnjmnmAddressed todos since #3191497: core/jquery.ui.dialog is missing core/jquery assets landed
Also needed to add the tabbable shim as a dependency to core/jquery.ui.dialog, which would typically be included in a core/jquery.ui dependency, which will potentially be added back t core/jquery.ui.dialog after #3192804: Possibly undoing most of jquery.ui.dialog's dependency-detachment
Comment #63
bnjmnmHad to update the hash based on the jquery.ui.dialog library definition.
Comment #64
lauriiiWhy do we need to create this self invoking function here? Maybe we could rename the variable to be more descriptive and add a comment
Comment #65
bnjmnm#64
Added a comment for that. I had to try several things before I found something that work, and it looks like I forgot to comment & provide proper names once I discovered a solution 🙂.
Also updated tabbable to the latest version and rephrased a few comments.
Comment #66
bnjmnmAdded a
CSS.escape
polyfill for IE11 based on the tabbable readme:Comment #67
lauriiiPolyfills have usually used weight: -20. Is there any particular reason for it to be different for this?
This should probably be
core/tabbable.jquery.shim
.Comment #68
bnjmnmComment #69
bnjmnmAdded CSS.Escape dependency evaluation to issue summary. Still looking into how to best go about #67.4
Comment #70
Kristen PolMaybe I missed it but is there manual testing needed for this? I searched the comments and didn't see how it was tested manually if it was done. Or, does the automated tests cover everything?
Comment #71
bnjmnm@Kristen Pol thanks for asking about manual testing in #70! Now that you mention it, manual testing certainly couldn't hurt. Here are the steps that come to mind:
Comment #72
bnjmnmUpdated this CR to include the tabbingmanager changes: [#3156376]
Created an additional CR for the CSS.escape polyfill: [#3196522]
Comment #73
lauriiiI think this is ready for a review from another committer. I reviewed the patch one more time, tested it manually using the steps provided in #71 and reviewed the CR's, and all looked good for me 👌
Comment #74
nod_I reviewed the patch, checked the change notices, went through the step in #71 with IE11 (except the ckeditor from the offcanvas, which i didn't find how to trigger to be honest, even with the steps 🤷) And it's all good, RTBC +1
Comment #75
ilgnerfagundes CreditAttribution: ilgnerfagundes at CI&T commentedI reviewed the patch again, and it looks all right, I followed the instructions in # 71. RTBC +1
Comment #76
lauriiiDiscussed with @xjm and agreed that some of the libraries changes are potentially disruptive. Tagging for release manager review to give them a chance to give feedback.
Comment #77
lauriiiAdding more background for #76.
I discussed #51 with @xjm to make sure that she would be fine with the current approach. That comment documents a recommendation from the release managers to keep the files previously referenced by the libraries in the code base until the next major release. That comment references #2550717: [JS] Replace jQuery.cookie with JS-cookie and provide a BC layer and states that it was acceptable to remove the files there because there was a shim that provided full BC. Because this issue is using the same approach, I suggested on #52 that we would use the same approach here.
As we discussed this, I mentioned that I believe that the changes to library definitions made by this issue (and other jQuery UI related issues), have much higher potential of being disruptive than removing files from core to some users. The libraries system uses file paths as the identifier for alters and overrides.
For example, before #3113400: Deprecate more jQuery UI library definitions and this issue, someone could have replaced the jQuery UI tabbable with custom code with the following configuration:
As a result of these changes, tabbable-min.js is no longer part of the library definition, meaning that any overrides to that file no longer take effect until they have updated to overriding an asset file that is defined in the library definition. I don't think it's likely that many sites would be impacted by this but I mentioned that if we are concerned by this, #3113400: Deprecate more jQuery UI library definitions would have much higher risk of being disruptive because it applies even broader scope of changes to the library definitions.
The same behavior impacts CSS and we have added BC layers to Stable to handle changes to CSS library definitions. See
stable_library_info_alter
for an example of that. Theoretically we could provide similar BC layer to JavaScript, but that would be more complex because we would have to check if a specific file is being overridden and then make some more involved changes to the libraries definitions based on that.If we decide to keep the file in place, we should discuss what we would do if there was a security vulnerability in jQuery UI components that are not being used by core anymore and how are we planning to handle testing those components that are not used by core. It sounds like this is not unique to this issue, so maybe there's already precedent to this.
Comment #78
xjmCorrect; that is not blocking because we already are providing security coverage for the jQuery UI code in core.
Comment #79
xjmThere are quite a few references to tabbable in contrib. Will all these modules need to change their code? It's not clear to me from the change record on the addition of tabbable.
Comment #80
lauriiiI checked the search results from #79.
Some of the results are unrelated uses of tabbable word for other purposes. Bootstrap theme is using it as a classname for targeting horizontal tabs which doesn't have any connection to jQuery UI :tabbable selector.
There are some results that are more related. Some of the search results are AMD module definitions from a copy of jQuery UI as well as some other jQuery UI components defining it as a dependency using AMD. However, Drupal is not using AMD for JavaScript module loading so these can be ignored.
I'm surprised how few references the :tabbable selector has in contrib. However, even these wouldn't have to be changed yet since the shim is not deprecated. This means the change record is only informing users that a new library is added so that developers writing new code could take advantage of the newly added library.
TL;DR is that I don't expect that any of the contrib modules listed in #79 would have to implement changes after this gets committed.
Comment #81
YesCT CreditAttribution: YesCT at Lullabot for Iowa State University commentedI was debugging an issue with mherchel with https://www.drupal.org/project/anchor_link module
While debugging, we used the chrome browser inspector tools network tab to Block request URL for various js files. When I blocked core/assets/vendor/jquery.ui/ui/tabbable-min.js the bug went away.
And a potential fix (using custom code) is https://www.drupal.org/project/drupal/issues/3065095#comment-14010068
We thought since this issue is refactoring things, that the bug with anchor_link module might be useful as a testing use case ... or inspire a test ... for the work on this issue.
Comment #82
bnjmnmPerhaps I'm misunderstanding #81, but here's my thoughts:
It's unlikely that #81 in the scope of this issue, but there would need to be additional information beyond reporting a bug goes away when the file is attached. The potential fix linked to doesn't reference tabbable at all.
I'm not sure what the anchor_link issue mentioned is, but blocking this file could potentially address the specific bug in #3065095: CKEditor native dialogs not clickable inside of jQuery UI dialogs by breaking Dialog initialization before it completes. Removing this file would result in an error closer to the end of the initialization process, after it has been created and it attempts to move focus inside the dialog. The error may stop initialization before it hits the JS causing the bug.
Comment #83
xjmI think this would be the equivalent of a security issue not exposed by core itself; only contrib relying on the deprecated file would be affected. So any potential security issue would only be against those contrib modules, and they could either fix it within the module itself or just replace the deprecated file usage with the correct/supported usage of the tabbingmanager library.
Edit: That said, #80 seems fine, so we're back to just whether to retain the file or not.
Comment #84
bnjmnmThis updates tabbingmanager to the newest version: 5.1.6. Most of the changes in this version are to files not used by core, so the interdiff will show that nothing has changed other than the version number.
I also brought back the jQuery UI tabbable files as that decision is blocking this issue, and it's something that can be addressed in a followup: #3201595: possibly remove jQuery UI tabbable files?.
Comment #85
lauriiiBased on #83 and #51 it seems like the current approach of leaving the file in would be fine to the release managers. I'm removing the needs release manager review tag since I was the only one pushing back on keeping the file, and it seems like all of the other concerns have been addressed. While I don't necessarily think that the current solution is ideal, I'm fine with it being the way it is as long as it helps us move forward on this. We can always remove the file later in #3201595: possibly remove jQuery UI tabbable files?.
Comment #86
nod_Checked the latest patch, still working as expected. RTBC+1
Comment #87
alexpottThis looks really good. One less use of jquery ftw. We've now managed to defer deleting the file and we can make that decision in #3201595: possibly remove jQuery UI tabbable files?.
Dependency evaluations are complete and we have a change record and release note.
Committed daf10a0 and pushed to 9.2.x. Thanks!