Make WordPress Core

#56452 closed defect (bug) (invalid)

Deprecated NPM + update jQuery 3.6.1

Reported by: malthert's profile malthert Owned by:
Milestone: Priority: normal
Severity: critical Version:
Component: External Libraries Keywords:
Focuses: javascript Cc:

Description

Variety of issues I think make sense to tackle now with enough time until WP 6.1 is released, in case any issues come up.

Why this is critical? A lot of (dependency) packages seem to have security related issues (as per npm)

1) npm 6 is deprecated since almost 2 years

  • package-lock.json lockfileVersion increased since npm 7 and incompatible with old npm

=> can be fixed by calling "npm update" (will not update any packages but only increase lockfileVersion on first run)

  • "npm": ">=6.14.8" should be increased (node too)

=> which version do we want? 7? (which would be the absolute minimum, could go to 8 directly)

2) tons of old and very old packages that need to be updated, bc they were renamed or have security issues.
These partly date back to before the WP 6.0 (partly even before WP 5.9)

Does updating npm have a periodic tasks before creating new WP releases? It doesn't seem like it, but it should have, to avoid shipping outdated JS with security issues.

I think it makes sense to create a branch now to update (resolve dependency issues,...)
Then once again before the first beta of the next release and then merge this branch.

Then periodically before every first beta of the upcoming release.

2b) what about other external JS (not part of NPM), e.g. jquery-migrate. Is there a process when doing "releases" to ensure those get updated?

3) update jQuery to 3.6.1 (latest, non-breaking bug-fix release)

4) update jquery-migrate to 3.4.0 (latest)

Change History (1)

#1 in reply to: ↑ description @desrosj
17 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @malthert,

Thanks for this one! All of the issues you raised are good ones, and are already being addressed in various ways. I'll try to detail those ways below.

1) npm 6 is deprecated since almost 2 years

This is not entirely true. Versions 6.x and 7.x of npm are considered "Legacy Releases". Because these versions of npm are bundled with NodeJS versions that are still supported (NodeJS 14.x and 16.x), 6.x and 7.x are not abandoned.

Core (and Gutenberg) currently use NodeJS 14.x, which is in maintenance mode until April 30, 2023. Instead of updating to 16.x (the current active LTS), 18x will become the active LTS on October 25, 2023. The plan is currently to wait until then, so we can skip 16.x and upgrade straight to NodeJS 18.

#56658 is opened to discuss that.

  • package-lock.json lockfileVersion increased since npm 7 and incompatible with old npm

=> can be fixed by calling "npm update" (will not update any packages but only increase lockfileVersion on first run)

This is one reason why Core/Gutenberg still use npm 6x. The new lock file format is both forward and backward compatible and both formats work no matter the npm version (6, 7, or 8). However, the lock file format will change between both formats depending on the version you use. See #52951.

Both changes above need to be performed at the same time in both the Core SVN and Gutenberg repositories to avoid any compatibility issues.

  • "npm": ">=6.14.8" should be increased (node too)

=> which version do we want? 7? (which would be the absolute minimum, could go to 8 directly)

One thing to note is the only difference between npm 7 and 8 is support for NodeJS 10 was dropped. So 7 should just be skipped.

2) tons of old and very old packages that need to be updated, bc they were renamed or have security issues.
These partly date back to before the WP 6.0 (partly even before WP 5.9)

Does updating npm have a periodic tasks before creating new WP releases? It doesn't seem like it, but it should have, to avoid shipping outdated JS with security issues.

Actually, npm dependencies and devDependencies are updated several times throughout each release cycle, including updates after runningnpm audit fix. #56641 is the latest ticket for tracking these updates during the 6.0 cycle. Updates are evaluated on a case by case basis, and often times, updates to dependencies require coordination between Core SVN and Gutenberg, as there are some shared.

dependencies that are externally maintained libraries are maintained in the External Libraries component. Here's a list of tickets being included in 6.1.

2b) what about other external JS (not part of NPM), e.g. jquery-migrate. Is there a process when doing "releases" to ensure those get updated?

See last answer.

3) update jQuery to 3.6.1 (latest, non-breaking bug-fix release)

This was addressed in #56451 and will ship in 6.1.

4) update jquery-migrate to 3.4.0 (latest)

Until recently, WordPress had been stuck on 1.x of jQuery. This changed in #37110, but the steps required to update such a popular library in software as widely used as WordPress is very complicated. A roadmap for this process was published, and is still in progress.

It looks like the 3.4.0 release is a minor update that includes one fix for jQuery >= 4 (which does not apply to Core currently, documentation updates, one change to fix a cssProps warning, and a feature allowing selective disabling of Migrate patches. While the update should definitely be applied at some point, a ticket was not opened in time for 6.1 (RC1 is this coming Tuesday, and only bug fixes are allowed after beta 1), and this is not an urgent update to apply.

The ultimate goal and final step in the roadmap is to remove jquery-migrate.

Since there is a lot going on in this issue, I've created #56743 to work on updating jquery-migrate. I'm also going to close this out as invalid, but not because this is a bad report. That's just the default resolution for this Trac instance.

Note: See TracTickets for help on using tickets.