Package 3rd party JS dependencies via webpack - Githubissues

Adobe-Consulting-Services / acs-aem-commons

http://adobe-consulting-services.github.io/acs-aem-commons/

Apache License 2.0

456 stars 603 forks source link

Package 3rd party JS dependencies via webpack #2843

Open kwin opened 2 years ago

kwin commented 2 years ago

Currently the third party JS libraries shipped in https://github.com/Adobe-Consulting-Services/acs-aem-commons/tree/master/ui.apps/src/main/content/jcr_root/apps/acs-commons/clientlibs/vendor are

embedded manually (sometimes the original source is not clear)
heavily outdated
partially contain vulnerable versions

I suggest to

Switch to a dedicated frontend build module leveraging webpack for referencing 3rd party libraries (based on the approach from https://github.com/adobe/aem-project-archetype/tree/develop/src/main/archetype/ui.frontend.general)
Get rid of all no longer useful 3rd party libraries (e.g. lodash, json)
Use dependabot to get notified about updated and vulnerable library versions.

Here is a list of currently embedded JS Libs:

Library	Version	Remark
AngularJS	1.3.3 (2014) and 1.2.26	No longer supported since Jan 2022
Fontawesome	4.4.0	CSS Only
JSON2.js	?	This file does nothing on ES5 systems. Every browser since IE8 supports it natively
JSONDiffPatch	?
JSPlumb	1.7.2	Should be updated
QRCode	unclear	source is not clear
Lodash	4.17.21	no longer in use (https://github.com/Adobe-Consulting-Services/acs-aem-commons/commit/bfe1c01ee1bb5e6af2fa02af7fb66e8975423ee9)

(the history at https://github.com/Adobe-Consulting-Services/acs-aem-commons/commits/acs-aem-commons-4.3.0/content/src/main/content/jcr_root/etc/clientlibs/acs-commons/vendor may expose further details)

kwin commented 2 years ago

@davidjgonzalez Can you help identifying both source and version of the currently packed 3rd party JS dependencies?