Update our yarn dev dependencies to the extent allowed by current constraints

Maybe a duplicate of
#3258933: [meta] Update JavaScript dependencies for Drupal 10
#3246148: [meta] Update JavaScript dev dependencies to latest major releases before 9.4.0

On mobile so can't check for sure but it seems likely this is the same issue as @alexpott had in #3258933: [meta] Update JavaScript dependencies for Drupal 10 as there doesn't seem to have been a new release of terser yet, which has some dependency warning with acorn.

Adding acorn as an explicit dependency seems to solve the issue, we should be able to remove it again when a new version of terser is released.

I think the JS changes noted in #13 are due to a bug fix in Babel 7.16, possibly https://github.com/babel/babel/pull/13842 - the input/output in the tests there look similar to the changes here where destructuring is rewritten to go through _ref, and if I take Safari and iOS out of our browser support list, the changes go away.

An update to Stylelint also caused a new error: Expected "currentColor" to be "currentcolor" value-keyword-case

Solved with "camelCaseSvgKeywords": true as per https://github.com/stylelint/stylelint/issues/5863

I've opened the following issue on github to ask terser for a release - https://github.com/terser/terser/issues/1143 - as I think they've already fixed the issue.

This looks great. Nice work on explaining why the changes are occurring and keeping the CSS the same.

+1 for RTBC

Changes to the JS are mostly whitespace. Setting the prototype as unwrittable for Drupal.Message and Drupal.DatepickerPolyfill doesn't impact contrib (that I can see) so the change is safe.

Do we need dependency evaluation for acorn given that it's now a direct dev dependency?

Upgrading CSpell means we need to rebuild the dictionary for all branches.

Dictionaries updated.

> Do we need dependency evaluation for acorn given that it's now a direct dev dependency?

I would suggest not, as it was an indirect dependency before, we don't use it directly, and this is hopefully only temporary - once the next version of terser is released we should be able to remove it again.

Babel release a new patch release last week https://github.com/babel/babel/releases/tag/v7.17.2 so MRs needs to be updated. There are a couple of other releases to other dependencies as well but nothing major. I updated the different MRs

Other than that I checked that the compiled js/css didn't change in any meaningful way and that all the commands in the package.json were still working.

9.2 : OK - yarn audit 12 Moderate vulnerabilities (all about regex)
9.3 : OK - yarn audit 16 Moderate | 1 High (same regex stuff as 9.2 + 5 more regex issues from ckeditor deps)
9.4 : OK - yarn audit 16 Moderate | 1 High (same as 9.3)
10.0 : OK - yarn audit 16 Moderate | 1 High (same as 9.3)

I pushed some code but this is RTBC for me.

I opened #3264520: Remove acorn from package.json as a followup.

I checked each of @nod_'s "yarn upgrade" commits and they all look OK to me with minor/patch level versions only, so I am marking this RTBC alongside the comment above.

Merged in the head of each branch so the patches apply cleanly.

On 10.0.x (and perhaps others) Running yarn vendor-update results in changes that should be part of the MR. Setting back to NW for this + rebase will likely be needed due to #3228464: API for contrib projects to load CKEditor translations.

Ran yarn vendor-update on 9.3.x, 9.4.x and 10.0.x (it doesn't exist in 9.2.x).

Thanks @longwave! With a small cspell adjustment due to a recent commit, this is good for 10.0.x. I'm committing via Gitlab merge and will continue reviewing for potential commit in descending order.

I made a similar tiny cspell adjustment, which makes 9.4.x fine to commit. On to 9.3!

@terser is going to get a release on Monday so we should be able to clean this bit of this up quite soon.

#3264520: Remove acorn from package.json has landed so adding the acorn dependency is no longer necessary.

Bumping to critical. It would be good to get this in before the next 9.3 patch release.

Tried _really_ hard, but doing a yarn remove acorn only resulted in the removal of acorn from package.json on both 9.3.x and 9.2.x.

Are we allowed to do a vendor-update in a patch release? This is end-user-facing JavaScript and here will bump the version of popperjs from 2.10.2 to 2.11.2, and underscore from 1.13.1 to 1.13.2.

As far as I'm aware I only did a rebase using the GitLab GUI and a yarn remove acorn as shown here.
I normally prefer merging the branch into the MR, but was told here #3264122-20: Move all non migration aggregator tests to the module in preparation of removal in d10 rebasing was preferred.

No clue where the updates come from or what I could have done wrong.

Sorry, #46 wasn't a response/question directly to you, more an observation that we upgraded these packages for 9.4.x/10.0.x, but can we safely do that in 9.3.x seeing as we already released 9.3.0 - or should we be more conservative if we aren't fixing security issues? We treat all JS deps as dev dependencies, but popper, underscore, etc are used in the front end of sites, they are only dev dependencies because they are part of our build process.

Ah, no problem, love questions that aren't (directly) directed at me ;)

Opened #3266912: Review version constraints for production yarn dependencies to review version constraints for all production dependencies.

MR is failing with:

yarn run v1.22.17
$ cross-env BABEL_ENV=legacy node ./scripts/js/babel-es6-build.js --check --file /var/www/html/core/modules/ckeditor5/js/ckeditor5.admin.es6.js
[21:29:35] '/var/www/html/core/modules/ckeditor5/js/ckeditor5.admin.es6.js' is being checked.
Done in 1.18s.

/var/www/html/core/modules/ckeditor5/js/ckeditor5.admin.es6.js
  670:9  error  Expected indentation of 8 space characters but found 10  react/jsx-indent

✖ 1 problem (1 error, 0 warnings)
  1 error and 0 warnings potentially fixable with the `--fix` option.

Looks like the 9.3.x MR still needs some work. There's a problem with the latest version of eslint-plugin-react since they introduced stricter validation constraints for React version configuration which is currently set to "latest" which isn't a valid semver version. We might have to pin that to 7.29.0 until we have that sorted out.

On top of that, there's some changes after running yarn build:js which seem incorrect. For some reason some files are not being built correctly because I can see that the built files have const, arrow functions and class syntax.

#55 seems to be a false positive in eslint-plugin-react 7.29.1 and fixed in 7.29.2. Pushed an upgrade commit to the MR.

Also switched from latest to detect in the React version, which falls back to latest while emitting a warning that we can hopefully ignore for now.

I don't see the changes @lauriii mentions in #56, yarn build is clean for me, so back to NR for another look.

Same for me build is clean, probably something in the cache that messes things up? to be safe I delete the node_modules directory pretty frequently :)

Backbone has been bumped to 1.4.1 (from 1.4.0) since they had a release a few days ago. Either need to stay on 1.4 or run vendor-update.

Backbone updated to 1.4.1 in 9.3.x.

let's keep it at 1.4.0 then, and create a new issue to update all the branches at the same time.

Pinned Backbone to 1.4.0, ran yarn vendor-update again.

Opened #3267339: Update Backbone to 1.4.1

Re #61 I think the test fail for backbone 1.4.1 is because we've not updated core/core.libraries.yml to have the correct version - I think to get 9.3.x tests passing on backbone 1.4.1 all we need to do is make similar changes like we're doing for underscore.

The version is hardcoded in a test, backbone was chosen because it doesn't release new versions often i think, so we wouldn't need to update the test often.

Yeah the test fail was this hardcoded in AttachedAssetsTest:

    $this->assertStringContainsString('core/assets/vendor/backbone/backbone-min.js?v=1.4.0', $rendered_js, 'JavaScript version identifiers correctly appended to URLs');

However IMO we should not upgrade Backbone on 9.3.x before we have done 9.4.x/10.0.x so I think deferring to a separate issue where it can be committed to all branches together is better.

Committed to 9.3.x. 9.2.x currently "Custom commands failed".

Also needs followup per #51 before this can be marked fixed.

In the 9.2.x branch we are back to this problem:

$ yarn check -s
error "terser#acorn@^8.5.0" doesn't satisfy found match of "acorn@7.4.1"

Running yarn upgrade terser makes it worse somehow:

$ yarn check -s
error "acorn" is wrong version: expected "8.7.0", got "7.4.1"
error "espree#acorn" not installed
error "espree#acorn-jsx" not installed

Not sure what the next steps are here.

From looking at the terser release notes it seems like it should be safe to lock terser into staying on 5.7.0 in Drupal 9.2 and not concern ourselves with dependency headaches on the version that will be unsupported soonest.

terser 5.10.0 and above seem to cause the issue so I set package.json to ^5.3.4 <5.10.0 which has solved it locally for me.

yarn audit returns 9 Moderate vulnerabilites on 9.2.x, there is a babel update but it doesn't change the number of vulnerabilites, so RTBC :)

Thanks!

Committed to 9.2.x. I can't mark this fixed until the followup requested in #51 is filed:

Discussed this with @lauriii and he suggested that we add a constraint in this issue for Popper to keep it restricted to a patch-level update for 9.3.x, and then to re-run the yarn upgrade and the vendor build. (I think it doesn't matter for 9.2.x since the vendor update script wasn't in 9.2 anyway.)

Then, we'll file a followup to add constraints on the production dependencies so we can keep the vendor update consistent but locked to patch versions unless we make an explicit decision to do a minor update in a patch release. Going forward, each minor, we'll deliberately increase constraints to the latest minor version for the production vendor dependencies prior to beta/RC.

Wasn't the followup created in #54? #3266912: Review version constraints for production yarn dependencies

Re #76 @longwave you are correct! Looks like the tag just wasn't removed. Thanks and FIXED!