search

sahat / hackathon-starter

A boilerplate for Node.js web applications
MIT License
34.85k stars 8.17k forks source link

Migrate off tumblrJS #1237

Closed YasharF closed 1 year ago

YasharF commented 1 year ago

tumblrJS is the official client library from Tumblr. However, it looks like they are no longer actively investing or maintaining their library. The library still depends on requestJS even after its deprecation years ago. It is currently the only library that is causing deprecation and vulnerability warnings during our "npm install" step.

It also adds 7sec to the startup time of the app which is 33% of the load time for api.js (21.4s) and about 14.6% of the overall module load time (48.5s as measured by require-times).

We can replace the out of date library with some REST calls using Axios in our examples: https://www.tumblr.com/docs/en/api/v2

YasharF commented 1 year ago

Ref: I created https://github.com/tumblr/tumblr.js/issues/91 in March 2020, over three years ago.

Other folks mentioning the lack of maintenance: https://github.com/tumblr/tumblr.js/issues/96 https://github.com/tumblr/tumblr.js/issues/144 https://github.com/tumblr/tumblr.js/issues/101

YasharF commented 1 year ago

Fixed by https://github.com/sahat/hackathon-starter/commit/b2a5a7dc630afdb14aadc33c81551d8d5765a4e3

sirreal commented 1 year ago

I hope to have a new release of tumblr.js soon and it could be brought back then 🙂

YasharF commented 1 year ago

@sirreal thanks for looking into it, but I am concerned about your team's resourcing and prioritization for maintenance of the package in the long run. I am sure you and your colleagues are good developers, but it feels like there is a resourcing or prioritization issue from your management for monitoring and maintenance of the package. What I like to see is:

  1. A solid year+ trend and history of monitoring, patching, bug fixes, addressing git hub issues and pull request with a reasonable SLA.
  2. Addition of the package and its dependency hygiene to tumblr's bug bounty program. The hygiene may need to have a reasonable SLA, like if we don't fix something within 30 days and you report it to the bounty program ...
  3. Addressing the performance issues. I don't want to add 7 sec to the apps startup time when adding a single line const tumblr = require('tumblr.js'); . The 7 sec was 15% of the require load times in hackathon starter during my last profiling. The app loads up 15% faster now without the dependency. The startup time does matter when a dev has to restart the app over and over as they build feature and bug fix their app.

Ref/background: my and other git hub issues at https://github.com/tumblr/tumblr.js/issues

sirreal commented 1 year ago

Tumblr.js v4 has been released, and I hope you see it's addressed the issues you've outlined.

Addressing the performance issues. I don't want to add 7 sec to the apps startup time when adding a single line const tumblr = require('tumblr.js'); .

I agree, that is unacceptable and frankly ridiculous. You should see it's no longer a problem with v4:

time node -e 'console.log(require("tumblr.js").Client.version)'
# 4.0.0
# 0.04s user 0.01s system 101% cpu 0.053 total

I'd be happy to contribute a PR bringing this up to date with tumblr.js v4.