ilmotta commented 1 year ago

Outdated libraries

THIS IS A WORK IN PROGRESS

This issue is not concerned with upgrading major libraries, like React Native, but it's an initial attempt to investigate and upgrade some libraries, or many if we're lucky. Of course, we want to do the upgrades piecemeal to avoid wrecking status-mobile.

Consider updating doc/dependencies.md and improving it.

[ ] Shadow-CLJS, so that we can get to the latest ClojureScript version. It should be safe, since Clojure is generally backwards compatible, but it's not necessarily easy.
[ ] React. We're on 16.x. This one is problematic, since Reagent is coupled with a particular version. There are ways to to use Reagent with React 18.x, or so it seems.
[ ] TBD RN libraries are tricky, we should consider upgrading one by one, leaving the more complicated ones for later.
[ ] Jest related libraries. We're behind a couple major releases. Since Jest is very buggy and resource hungry, it might be worth trying to get to latest.
[ ] qrcode, behind by 1 minor version, should be safe to upgrade. Consider not upgrading because we can use the media server @siddarthkay
[ ] Babel-* libs: probably safe to upgrade all of them, since we're not far behind.
[ ] i18n-js. We're behind 1 major version. Should be relatively easy to upgrade since i18n has a very narrow purpose in the codebase.
[ ] detox. Double-check with QA team.
[ ] rn-snoopy. Archived repo in Status org. Need to check.
[ ] bignumber.js Archived repo in Status org. It's worth checking out why we can't or shouldn't upgrade to latest. The library is not used in too many places.

Which libs are outdated?

Run yarn outdated to get the list. The one below was generated on Mar 16, 2023.

Package                                       Current       Wanted        Latest  Package Type           URL                                                                                           
@babel/generator                              7.0.0         7.0.0         7.21.3  devDependencies        https://babel.dev/docs/en/next/babel-generator                                                
@babel/helper-builder-react-jsx               7.0.0         7.0.0         7.19.0  devDependencies        https://babel.dev/docs/en/next/babel-helper-builder-react-jsx                                 
@babel/plugin-transform-block-scoping         7.0.0         7.0.0         7.21.0  devDependencies        https://babel.dev/docs/en/next/babel-plugin-transform-block-scoping                           
@babel/preset-env                             7.1.0         7.1.0         7.20.2  devDependencies        https://babel.dev/docs/en/next/babel-preset-env                                               
@babel/preset-typescript                      7.17.12       7.21.0        7.21.0  dependencies           https://babel.dev/docs/en/next/babel-preset-typescript                                        
@babel/register                               7.0.0         7.0.0         7.21.0  devDependencies        https://babel.dev/docs/en/next/babel-register                                                 
@jest/globals                                 25.5.2        25.5.2        29.5.0  devDependencies        https://github.com/facebook/jest#readme                                                       
@mapbox/node-pre-gyp                          1.0.9         1.0.10        1.0.10  devDependencies        https://github.com/mapbox/node-pre-gyp#readme                                                 
@react-native-async-storage/async-storage     1.17.9        1.17.12       1.17.12 dependencies           https://github.com/react-native-async-storage/async-storage#readme                            
@react-native-community/audio-toolkit         2.0.3         exotic        exotic  dependencies           git+https://github.com/tbenr/react-native-audio-toolkit.git#refs/tags/v2.0.3-status-v6        
@react-native-community/blur                  4.3.0         exotic        exotic  dependencies           git+https://github.com/status-im/react-native-blur#refs/tags/v4.3.1-status                    
@react-native-community/cameraroll            4.0.4         exotic        exotic  dependencies           git+https://github.com/status-im/react-native-cameraroll.git#refs/tags/v4.0.4-status.0        
@react-native-community/clipboard             1.2.2         1.5.1         1.5.1   dependencies           https://github.com/react-native-community/clipboard#readme                                    
@react-native-community/hooks                 2.5.1         2.8.1         3.0.0   dependencies           https://github.com/react-native-community/hooks#readme                                        
@react-native-community/masked-view           0.1.9         0.1.11        0.1.11  dependencies           https://github.com/react-native-community/react-native-masked-view#readme                     
@react-native-community/netinfo               4.7.0         4.7.0         9.3.7   dependencies           https://github.com/react-native-netinfo/react-native-netinfo#readme                           
@react-native-community/push-notification-ios 1.4.1         1.10.1        1.10.1  dependencies           https://github.com/react-native-community/push-notification-ios#readme                        
@react-native-community/slider                3.0.0         3.0.3         4.4.2   dependencies           https://github.com/callstack/react-native-slider#readme                                       
@testing-library/jest-native                  5.3.0         5.4.2         5.4.2   devDependencies        https://github.com/testing-library/jest-native#readme                                         
@testing-library/react-native                 11.5.0        11.5.4        12.0.0  devDependencies        https://callstack.github.io/react-native-testing-library                                      
@types/jest                                   28.1.8        28.1.8        29.5.0  devDependencies        https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/jest                     
@walletconnect/client                         2.0.0-beta.23 2.0.0-beta.55 1.8.0   dependencies           https://github.com/WalletConnect/walletconnect-monorepo/                                      
bignumber.js                                  4.0.2         exotic        exotic  dependencies           git+https://github.com/status-im/bignumber.js.git#refs/tags/v4.0.2-status                     
chance                                        1.1.4         1.1.11        1.1.11  dependencies           http://chancejs.com                                                                           
create-react-class                            15.6.3        15.7.0        15.7.0  dependencies           https://facebook.github.io/react/                                                             
detox                                         19.13.0       19.13.0       20.5.0  devDependencies        https://github.com/wix/Detox#readme                                                           
emojilib                                      2.4.0         2.4.0         3.0.8   dependencies           https://github.com/muan/emojilib#readme                                                       
i18n-js                                       3.5.1         3.9.2         4.2.3   dependencies           https://github.com/fnando/i18n#readme                                                         
jest                                          25.4.0        25.5.4        29.5.0  devDependencies        https://jestjs.io/                                                                            
jest-circus                                   26.6.3        26.6.3        29.5.0  devDependencies        https://github.com/facebook/jest#readme                                                       
jest-image-snapshot                           5.2.0         5.2.0         6.1.0   devDependencies        https://github.com/americanexpress/jest-image-snapshot#readme                                 
nodemon                                       2.0.16        2.0.21        2.0.21  devDependencies        https://nodemon.io                                                                            
nyc                                           14.1.1        14.1.1        15.1.0  devDependencies        https://istanbul.js.org/                                                                      
qrcode                                        1.4.4         1.5.1         1.5.1   dependencies           http://github.com/soldair/node-qrcode                                                         
react                                         16.13.1       16.13.1       18.2.0  dependencies           https://reactjs.org/                                                                          
react-devtools-core                           4.26.1        4.27.2        4.27.2  resolutionDependencies https://github.com/facebook/react#readme                                                      
react-dom                                     16.13.1       16.14.0       18.2.0  dependencies           https://reactjs.org/                                                                          
react-native                                  0.63.5        0.63.5        0.71.4  dependencies           https://github.com/facebook/react-native#readme                                               
react-native-background-timer                 2.2.0         2.4.1         2.4.1   dependencies           https://github.com/ocetnik/react-native-background-timer#readme                               
react-native-blob-util                        0.13.18       0.13.18       0.17.2  dependencies           https://github.com/RonRadtke/react-native-blob-util#readme                                    
react-native-camera-kit                       8.0.4         8.0.4         13.0.0  dependencies           https://github.com/teslamotors/react-native-camera-kit.git                                    
react-native-config                           1.4.2         exotic        exotic  dependencies           git+https://github.com/status-im/react-native-config.git#refs/tags/v1.4.2-status              
react-native-dialogs                          1.1.0         1.1.1         1.1.1   dependencies           https://github.com/aakashns/react-native-dialogs#readme                                       
react-native-draggable-flatlist               3.0.3         3.1.2         4.0.1   dependencies           https://github.com/computerjazz/react-native-draggable-flatlist#readme                        
react-native-fast-image                       8.5.11        8.6.3         8.6.3   dependencies           https://github.com/DylanVann/react-native-fast-image#readme                                   
react-native-fs                               2.16.6        2.20.0        2.20.0  dependencies           https://github.com/itinance/react-native-fs#readme                                            
react-native-gesture-handler                  2.5.0         2.9.0         2.9.0   dependencies           https://github.com/software-mansion/react-native-gesture-handler#readme                       
react-native-haptic-feedback                  1.9.0         1.14.0        1.14.0  dependencies           https://github.com/mkuczera/react-native-haptic-feedback                                      
react-native-hole-view                        2.1.1         exotic        exotic  dependencies           git+https://github.com/status-im/react-native-hole-view.git#refs/tags/v2.1.1-status           
react-native-image-crop-picker                0.36.2        exotic        exotic  dependencies           git+https://github.com/status-im/react-native-image-crop-picker.git#refs/tags/v0.36.2-status.0
react-native-image-resizer                    1.2.3         1.4.5         1.4.5   dependencies           https://github.com/bamlab/react-native-image-resizer#readme                                   
react-native-image-viewing                    0.2.1         exotic        exotic  dependencies           git+https://github.com/status-im/react-native-image-viewing.git#refs/tags/v0.2.1.status       
react-native-keychain                         3.0.0-rc.3    exotic        exotic  dependencies           git+https://github.com/status-im/react-native-keychain.git#refs/tags/v.3.0.0-5-status         
react-native-linear-gradient                  2.5.6         2.6.2         2.6.2   dependencies           https://github.com/react-native-community/react-native-linear-gradient#readme                 
react-native-lottie-splash-screen             1.0.1         1.1.1         1.1.1   dependencies           https://github.com/HwangTaehyun/react-native-lottie-splash-screen#readme                      
react-native-navigation                       7.27.1        7.32.1        7.32.1  dependencies           https://github.com/wix/react-native-navigation                                                
react-native-permissions                      2.1.5         2.2.2         3.8.0   dependencies           https://github.com/zoontek/react-native-permissions#readme                                    
react-native-reanimated                       2.3.3         2.3.3         3.0.2   dependencies           https://github.com/software-mansion/react-native-reanimated#readme                            
react-native-redash                           16.0.11       16.3.0        18.1.0  dependencies           https://github.com/wcandillon/redash#readme                                                   
react-native-safe-area-context                2.0.0         2.0.3         4.5.0   dependencies           https://github.com/th3rdwave/react-native-safe-area-context#readme                            
react-native-shake                            3.4.0         3.5.2         5.1.1   dependencies           https://github.com/Doko-Demo-Doa/react-native-shake                                           
react-native-share                            7.0.1         7.9.1         8.2.1   dependencies           https://react-native-share.github.io/react-native-share/                                      
react-native-status-keycard                   2.5.39        exotic        exotic  dependencies           git+https://github.com/status-im/react-native-status-keycard.git#refs/tags/v2.5.39            
react-native-svg                              9.13.6        9.13.6        13.8.0  dependencies           https://github.com/react-native-community/react-native-svg                                    
react-native-webview                          11.16.0       exotic        exotic  dependencies           git+https://github.com/status-im/react-native-webview.git#refs/tags/v11.16.0-status           
react-test-renderer                           16.13.1       16.13.1       18.2.0  devDependencies        https://reactjs.org/                                                                          
rn-emoji-keyboard                             0.7.0         0.7.0         1.2.1   dependencies           https://github.com/TheWidlarzGroup/rn-emoji-keyboard#readme                                   
rn-snoopy                                     2.0.2         exotic        exotic  devDependencies        git+https://github.com/status-im/rn-snoopy.git#refs/tags/v2.0.2-status                        
shadow-cljs                                   2.11.16       2.11.16       2.22.2  devDependencies        https://github.com/thheller/shadow-cljs#readme                                                
tdigest                                       0.1.1         0.1.2         0.1.2   dependencies           https://github.com/welch/tdigest

flexsurfer commented 1 year ago

so i would say if we don't have any issues with library we shouldn't upgrade, for two reasons , breaking changes and new issues in the new version, and security there might be security threats in new versions

ilmotta commented 1 year ago

I highly disagree @flexsurfer, upgrading libraries is one of the basic layers of protection against security threats.

For instance, this is on OWASP Top 10 2021, but the recommendation stands for any year:

Every organization must ensure an ongoing plan for monitoring, triaging, and applying updates or configuration changes for the lifetime of the application or portfolio.

-- https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/

And besides security, upgrades may also give us:

New and improved capabilities
More coherent APIs, more reliable libraries.
Performance improvements
Fixed bugs we didn't even know we had.
Better community support, up-to-date documentation.

The list goes on and on.

Almost every time I read the changelog by libraries I see tons of value in upgrading. Authors are generally releasing for good reasons.

flexsurfer commented 1 year ago

Authors are generally releasing for good reasons.

yeah but not always :)

status-im / status-mobile

[INFO] Outdated libraries #15397

Outdated libraries

Which libs are outdated?