Get rid of dependencies + Adopt/fork rest

[taoeffect]

Problem

We have too many dependencies / third-party libraries. Dependencies are liabilities almost as much as they are assets.

Related issues:

• 361 - "You Might Not Need Lodash"

• 360 - Get rid of NPM

• 349 - Update dependencies

• 340 - Prevent package-lock.json from breaking when deps-of-deps update

• 21 - Bundle dependencies

Solution

for (each dependency) {

• Either get rid of it by writing our own slimmed down implementation of it (e.g. #361)
• Or, adopt it by forking it to our Gitlab, trimming it down to remove all unnecessary functionality, and using our version of it (#360, #340, #21)

}

This includes Bulma.

In the end, the only third-party dependencies we should be left with are devDependencies, and even those might not be necessary. As much as possible should be removed or adopted, i.e. we don't need a minifier if our codebase is so small that it doesn't require minification.

In the end, we should get rid of npm and the package-lock.json file as well (since it's so problematic + not helpful). By having our own trimmed-down, audited forks of everything we don't need to worry about new issues arising from updates.

We then don't need to worry about what happens if "npm is down" or "npm is compromised", and we can rely on GPG + git signatures to verify the codebase and commits - Issue #153.

• Related: update contributing docs to note all of this and discourage new dependencies from being added.

EDIT: this issue can be closed if #586 and #1101 are closed.

[CrazedCoding]

Running:

found 450 vulnerabilities (447 low, 3 high)
  run `npm audit fix` to fix them, or `npm audit` for details
phenomenon@phenomenon:~/group-income-simple-work$ npm audit

Yields:

Probably should prioritize dropping these packages soon if at all possible.

[snowteamer]

When attempting to use our own GitHub fork of a dependency, Travis CI complains about not being able to access it, apparently because of some missing access rights:

[taoeffect]

@snowteamer I think you need to specify the URL in such a way that it doesn't attempt to access the repo via SSH, but instead uses HTTPS.

[snowteamer]

Using a full commit hash in the dependency specification instead of a branch name, and/or reverting to NPM 6.x seems to bypass the issue.

...
"pug-lint-vue": "github:snowteamer/pug-lint-vue#2702763877bfd1b77c56c81542a22a058e42e952",
...

Relevant NPM issue: https://github.com/npm/cli/issues/2610