[wp-trac] [WordPress Trac] #56452: Deprecated NPM + update jQuery 3.6.1

WordPress Trac noreply at wordpress.org
Wed Oct 5 19:06:57 UTC 2022 

#56452: Deprecated NPM + update jQuery 3.6.1
--------------------------------+-------------------------
 Reporter:  malthert            |       Owner:  (none)
     Type:  defect (bug)        |      Status:  closed
 Priority:  normal              |   Milestone:
Component:  External Libraries  |     Version:
 Severity:  critical            |  Resolution:  invalid
 Keywords:                      |     Focuses:  javascript
--------------------------------+-------------------------
Changes (by desrosj):

 * status:  new => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Comment:

 Hi @malthert,

 Thanks for this one! All of the issues you raised are good ones, and are
 already being addressed in various ways. I'll try to detail those ways
 below.

 > 1) npm 6 is deprecated since almost 2 years

 This is not entirely true. Versions 6.x and 7.x of npm are considered
 "Legacy Releases". Because these versions of npm are bundled with NodeJS
 versions that are still supported (NodeJS 14.x and 16.x), 6.x and 7.x are
 not abandoned.

 Core (and [https://github.com/wordpress/gutenberg Gutenberg]) currently
 use NodeJS 14.x, [https://github.com/nodejs/release#release-schedule which
 is in maintenance mode until April 30, 2023]. Instead of updating to 16.x
 (the current active LTS), 18x will become the active LTS on October 25,
 2023. The plan is currently to wait until then, so we can skip 16.x and
 upgrade straight to NodeJS 18.

 #56658 is opened to discuss that.

 > - package-lock.json lockfileVersion increased since npm 7 and
 incompatible with old npm
 > => can be fixed by calling "npm update" (will not update any packages
 but only increase lockfileVersion on first run)

 This is one reason why Core/Gutenberg still use npm 6x. The new lock file
 format is both forward and backward compatible and both formats work no
 matter the npm version (6, 7, or 8). However, the lock file format will
 change between both formats depending on the version you use. See #52951.

 Both changes above need to be performed at the same time in both the Core
 SVN and Gutenberg repositories to avoid any compatibility issues.

 > - `"npm": ">=6.14.8"` should be increased (node too)
 > => which version do we want? 7? (which would be the absolute minimum,
 could go to 8 directly)

 One thing to note is the only [https://github.blog/changelog/2021-10-07
 -npm-cli-upgraded-to-version-8/ difference between npm 7 and 8 is support
 for NodeJS 10 was dropped]. So 7 should just be skipped.

 > 2) tons of old and very old packages that need to be updated, bc they
 were renamed or have security issues.
 > These partly date back to before the WP 6.0 (partly even before WP 5.9)
 >
 > Does updating npm have a periodic tasks before creating new WP releases?
 It doesn't seem like it, but it should have, to avoid shipping outdated JS
 with security issues.

 Actually, npm `dependencies` and `devDependencies` are updated several
 times throughout each release cycle, including updates after running`npm
 audit fix`. #56641 is the latest ticket for tracking these updates during
 the 6.0 cycle. Updates are evaluated on a case by case basis, and often
 times, updates to `dependencies` require coordination between Core SVN and
 Gutenberg, as there are some shared.

 `dependencies` that are externally maintained libraries are maintained in
 the External Libraries component. Here's a
 [https://core.trac.wordpress.org/query?component=External+Libraries&milestone=6.1&group=status&col=id&col=summary&col=milestone&col=owner&col=type&col=status&col=priority&order=priority
 list of tickets being included in 6.1].

 > 2b) what about other external JS (not part of NPM), e.g. jquery-migrate.
 Is there a process when doing "releases" to ensure those get updated?

 See last answer.

 > 3) update jQuery to 3.6.1 (latest, non-breaking bug-fix release)

 This was addressed in #56451 and will ship in 6.1.

 > 4) update jquery-migrate to 3.4.0 (latest)

 Until recently, WordPress had been stuck on 1.x of jQuery. This changed in
 #37110, but the steps required to update such a popular library in
 software as widely used as WordPress is very complicated. A
 [https://make.wordpress.org/core/2020/06/29/updating-jquery-version-
 shipped-with-wordpress/ roadmap for this process] was published, and is
 still in progress.

 It looks like the 3.4.0 release is a minor update that includes one fix
 for jQuery >= 4 (which does not apply to Core currently, documentation
 updates, one change to fix a `cssProps` warning, and a feature allowing
 selective disabling of Migrate patches. While the update should definitely
 be applied at some point, a ticket was not opened in time for 6.1 (RC1 is
 this coming Tuesday, and only bug fixes are allowed after beta 1), and
 this is not an urgent update to apply.

 The ultimate goal and final step in the roadmap is to remove `jquery-
 migrate`.

 Since there is a lot going on in this issue, I've created #56743 to work
 on updating `jquery-migrate`. I'm also going to close this out as
 `invalid`, but not because this is a bad report. That's just the default
 resolution for this Trac instance.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56452#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list