Bump iframe-resizer from 4.3.9 to 4.4.2

dependabot[bot] commented 5 months ago

Bumps iframe-resizer from 4.3.9 to 4.4.2.

Commits

See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

github-actions[bot] commented 5 months ago

:clipboard: Stats

File sizes

File	Size
dist/govuk-frontend-development.min.css	113.34 KiB
dist/govuk-frontend-development.min.js	41.88 KiB
packages/govuk-frontend/dist/govuk/all.bundle.js	87.42 KiB
packages/govuk-frontend/dist/govuk/all.bundle.mjs	82.11 KiB
packages/govuk-frontend/dist/govuk/all.mjs	981 B
packages/govuk-frontend/dist/govuk/govuk-frontend-component.mjs	359 B
packages/govuk-frontend/dist/govuk/govuk-frontend.min.css	113.33 KiB
packages/govuk-frontend/dist/govuk/govuk-frontend.min.js	41.87 KiB
packages/govuk-frontend/dist/govuk/i18n.mjs	5.55 KiB
packages/govuk-frontend/dist/govuk/init.mjs	4.86 KiB

Modules

File	Size (bundled)	Size (minified)
all.mjs	79.24 KiB	39.84 KiB
accordion.mjs	23.5 KiB	12.39 KiB
button.mjs	5.98 KiB	2.69 KiB
character-count.mjs	22.4 KiB	9.92 KiB
checkboxes.mjs	5.83 KiB	2.83 KiB
error-summary.mjs	7.89 KiB	3.46 KiB
exit-this-page.mjs	17.1 KiB	9.26 KiB
header.mjs	4.46 KiB	2.6 KiB
notification-banner.mjs	6.26 KiB	2.62 KiB
password-input.mjs	15.15 KiB	7.25 KiB
radios.mjs	4.83 KiB	2.38 KiB
skip-link.mjs	4.39 KiB	2.18 KiB
tabs.mjs	10.13 KiB	6.11 KiB

View stats and visualisations on the review app

Action run for ca001334f9cb65a0c05bfb35f8cd54771b568013

36degrees commented 5 months ago

I don't think there's anything too suspicious going on, but the changes between 4.3.9 and 4.4.2 are a bit all over the place… there's no entries for 4.4.x in the changelog on either the master branch nor the v4 branch of iframe-resizer.

I can't see anything particularly important in the diff other than a large postinstall message advertising a new v5 release (although I believe postinstall scripts run in the background since npm v7).

It does look like the license has changed from MIT to GPL v3 as part of the v5 release. According to the iframe resizer website this means that our project would also need to be published under GPL v3, which I think means we'll need to stay on v4 for now.

Overall I'm inclined to close this?

owenatgov commented 5 months ago

Adding to Ollie's comment above with my 2 pence: In short I agree with Ollie that it's a bit messy and that their priority appears to now be v5 with support for v4.

I don't see anything here to suggest we shouldn't merge it but I'm deffinately not gonna die on that hill. It's probably simpler to close it. It also throws doubt on if we should continue using iframe resizer if we can get away without it. It feels to me like managing this may just lead to a bunch of headaches...

romaricpascal commented 5 months ago

Depending on where you look, 4.4.2 advertises either:

A GPL license (in the package.json, L111)
An MIT license (in the LICENSE file)

I agree with closing given the uncertainty 😊 We should also:

make Dependabot ignore any further update of iframe-resizer
add a test to our package-lock.json.unit.test.js to check we don't accidentaly bump iframe-resizer.

romaricpascal commented 5 months ago

Looks like the 'package.json' license is incorrect actually. That would make it OK to keep receiving 4.x updates, as it's only 5.x that's GPL licensed, I believe. That being said, not updating any further is safer.

dependabot[bot] commented 4 months ago

Superseded by #5125.

alphagov / govuk-frontend