Comments (10)
@LucasHillDex Thanks for working on #1863 and buschtoens/broccoli-merge-files#431.
I will have a look at the former PR (I'll need time to check how the change affects a work project), and can ask for feedback from @buschtoens.
from ember-intl.
@ijlee2 I had to re-open the PR under a different account: #1864
I'm hoping the changes have zero impact on the behavior of the addon, let me know if you find otherwise. The tests were really good so that gave me a lot of confidence.
My PR to broccoli-merge-files is hung up because of other brocolli packages that are not updated (and maybe the fast-glob update causing public API changes to broccoli-merge-files). As our team has had to take vulnerabilities more seriously I'm definitely starting to appreciate removing dependencies when possible, especially if what the dependency was providing wasn't huge (no shade to broccoli-merge-files, just in this case it felt like an extra step that the translation-reducer could skip if it constructed the final translations.js itself).
from ember-intl.
broccoli-merge-files
has additional vulnerabilities coming in through broccoli-test-helper so it is the source of quite a few vulnerabilities. Could be nice to get rid of it if it is no longer maintained.
from ember-intl.
@ijlee2 would you mind taking a look at this proposed fix? #1863
from ember-intl.
Hi, @LucasHill. I messaged Jan for feedback. Here's the reply that I received:
I donβt really have the time & interest to reasonably maintain
broccoli-merge-files
, so I would recommend to migrate off of it. Sorry. :/Option 2 [Remove the use of
broccoli-merge-files
inember-intl
] would be my recommendation. Do you require my help for reviewing it?I briefly looked at the PR: I can imagine that the removal of intermediary
.json
files will breakember-intl
for CLARK, as AFAIR we rely on that feature.I think it should be possible to do a minimal change by really only replacing the usage of
broccoli-merge-files
with manual broccoli plumbing.
So both Jan and I are, in general, in favor of removing unnecessary dependencies from ember-intl
.
However, because (1) #1864 shows changes to the expected outputs in test files and (2) ember-intl
currently doesn't check in CI more complex ways of loading translations, such as writing translations to dist
folder and pushing translations into ember-intl
, I need to go with an approach that will be the safest for many Ember projects, not just your team's and mine.
In addition, my perspective on vulnerability reports (e.g. from Dependabot) is similar to that of https://overreacted.io/npm-audit-broken-by-design/: For frontend, they tend to produce many false positives, with little actionable information on how a vulnerability can be exploited in practice (especially, in the context of Ember), not just in theory.
For example, broccoli-merge-files
indirectly depends on glob-parent
through fast-glob
, but fast-glob
is used just once to read translation files. (Here, I may be incorrect, since I'm not too familiar with how ember-intl
has used broccoli-merge-files
over the years.)
At work, we use yarn
's overrides
to install [email protected]
, and this works fine with [email protected]
and 7.0.0-beta.2
. Therefore, I think asking end-developers to use their package manager to install [email protected]
is a safer option than merging #1864.
As I mentioned earlier, it will take me some time (about a week) to learn more about broccoli-merge-files
and test the proposed change in #1864 against my team's production project. In the meantime, you could help me out by:
- Creating an additional Ember app(s) in the
docs
folder, so that, in CI, we can check that we can continue to (1) push translations intoember-intl
and (2) write translations todist
folder. - Looking into "only replacing the usage of
broccoli-merge-files
with manual broccoli plumbing" than Jan mentioned. That is, the expected outputs in test files are to remain the same. - Talking to your security team about considering the risk of
glob-parent
fromember-intl
to be low. Together, figure out howfg.stream()
(fromfast-glob
) can actually be exploited.
What do you think?
from ember-intl.
@ijlee2 thanks for the detailed feedback.
We have certain regulatory requirements that make working with these vulnerabilities more difficult and while I agree there is a great argument for how low the risk is for these vulnerabilities in build tools we are still making an effort to remove them.
I understand now the effect of removing the intermediate json files, my original interpretation was those were thrown out in favor of the final translations.js
file. I should be able to modify my PR to restore those json files pretty easily.
Could you tell me a little more of what you'd want with the additional docs app?
from ember-intl.
@ijlee2 I updated my PR to get back the behavior I had inadvertently removed. If I'm understanding correctly, we need to support the publicOnly=true
case where the translations get loaded asynchronously rather than being combined into the bundle. Could you let me know if my new approach is right? Is the additional docs app you want to enable tests that the publicOnly=true
case works?
from ember-intl.
@LucasHill For additional docs-apps, let's start with #1866 and #1867, because I'm not sure yet how we could test the dist
folder easily in CI, when setting publicOnly
to true
.
#1866 is easier to complete so I recommend that you start with that one (with create 1 PR per issue). Let me know if you need clarifications and I can reply to you next week.
Thanks,
from ember-intl.
@ijlee2 Unfortunately I don't have the bandwidth currently to take on those projects, are they a prerequisite for patching the vulnerability? Do you have concerns my PR as it is now may break compatibility with other projects? To me is looks like the output will be the exact same as it is currently, but I could still be missing some context.
from ember-intl.
@LucasHill Sorry for a late reply. I definitely want to see #1866 and #1867 completed before #1864 is tested, since these two apps will give us more confidence in merging #1864.
No worries about currently lacking bandwidth. I suggest that we rely on the Ember community to lend help with the two issues (if no one takes them, I'll get to them later). In the meantime, will you use your package manager's overrides feature to install [email protected]
?
from ember-intl.
Related Issues (20)
- A simple, autogenerated integration test fails for a component using a translation in ember-intl 6.1.2 HOT 6
- Bundle size regression in v6.2.0 HOT 3
- Merge this into formatjs HOT 3
- Incompatible with native `ember-source` types HOT 5
- `allowEmpty` class property not respected in v6.3.1 HOT 1
- Extending helpers like FormatDate has braking changes between v6.2.2 and v6.3.0+ HOT 5
- Basic usage results in: You attempted to update `_locale` [...] infinite revalidation bugs, and performance issues, and is not supported. HOT 4
- How to use `publicOnly: true` in Embroider apps HOT 17
- v6 - Error on valid use of `many`: message cannot be parsed: Unknown plural category: many HOT 1
- Deleted
- Plans for v7 release
- Memory leak regression after upgrading to `>= 6.3.0` HOT 3
- Do not blow up the whole page if a variable is missing ? HOT 2
- Create a docs-app that checks `wrapTranslationsWithNamespace: true`
- Create a docs-app that checks fetching translations HOT 1
- Create a docs-app that checks `publicOnly: true`
- Could not find module `eventemitter3` HOT 3
- [Feature Request] Add strict mode for setupIntl test hook HOT 3
- Cannot silence missing translations output on build HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ember-intl.