Bump to 4.15.2-0

[compulim]

Related to #4192.

Changelog Entry

Changed

• Bumped all dependencies to the latest versions, by @compulim in PR #4195
  • Production dependencies
    • @babel/runtime@7.17.2
    • @emotion/css@11.7.1
    • base64-arraybuffer@1.0.2
    • core-js@3.21.1
    • globalize@1.7.0
    • markdown-it-attrs@4.1.3
    • memoize-one@6.0.0
    • mime@3.0.0
    • prop-types@15.8.1
    • react-redux@7.2.6
    • redux@4.1.2
    • sanitize-html@2.7.0
  • Development dependencies
    • @babel/cli@7.17.6
    • @babel/core@7.17.5
    • @babel/plugin-proposal-class-properties@7.16.7
    • @babel/plugin-proposal-object-rest-spread@7.17.3
    • @babel/plugin-transform-runtime@7.17.0
    • @babel/preset-env@7.16.11
    • @babel/preset-react@7.16.7
    • @babel/preset-typescript@7.16.7
    • @babel/runtime@7.17.2
    • @emotion/react@11.8.1
    • @fluentui/react@8.57.0
    • @types/node@17.0.21
    • @types/react-dom@16.8.5
    • @types/react@16.8.25
    • @typescript-eslint/eslint-plugin@5.13.0
    • @typescript-eslint/parser@5.13.0
    • adm-zip@0.5.9
    • babel-jest@27.5.1
    • babel-loader@8.2.3
    • babel-plugin-istanbul@6.1.1
    • base64-arraybuffer@1.0.2
    • botframework-directlinejs@0.15.1
    • concurrently@7.0.0
    • core-js@3.21.1
    • dotenv@16.0.0
    • error-stack-parser@2.0.7
    • esbuild@0.14.24
    • eslint-config-prettier@8.5.0
    • eslint-plugin-prettier@4.0.0
    • eslint-plugin-react-hooks@4.3.0
    • eslint-plugin-react@7.29.3
    • eslint@8.10.0
    • express@4.17.3
    • get-port@6.1.2
    • glob@7.2.0
    • global-agent@3.0.0
    • http-proxy-middleware@2.0.3
    • husky@7.0.4
    • istanbul-lib-coverage@3.2.0
    • jest-environment-node@27.5.1
    • jest-trx-results-processor@2.2.1
    • jest@27.5.1
    • lint-staged@12.3.4
    • memoize-one@6.0.0
    • node-dev@7.1.0
    • node-fetch@3.2.1
    • nodemon@2.0.15
    • prettier@2.5.1
    • prop-types@15.8.1
    • read-pkg-up@9.1.0
    • read-pkg@7.1.0
    • selenium-webdriver@4.1.1
    • source-map-loader@3.0.1
    • strip-ansi@7.0.1
    • terser-webpack-plugin@5.3.1
    • typescript@4.6.2
    • webpack-cli@4.9.2
    • webpack@5.70.0

Description

Using node@16 for npm install and updated package-lock.json to version 2.

Bump all dependencies after release of 4.15.0, except Adaptive Cards and Cognitive Services Speech SDK, as they could require more efforts.

Added npm run bump scripts, to run them:

• If the package is NOT maintained by lerna, run npm run bump
• If the package is maintained by lerna, such as packages/bundle:
  1. Edit package.json to remove local peer dependencies
  2. Run npm run bump
  3. Edit package.json to add back removed local peer dependencies
  4. Run lerna bootstrap
  5. (Steps above are equivalent to what lerna did internally for lerna add and lerna bootstrap)

After bumping deps, we observe there are still a very few moderate or lower vulnerability related to create-react-app.

Design

npm run bump scripts

We added a quick NPM script to bumping dependencies.

For development dependencies, it will bump using ^ semver, excluding those marked by skipBump section in package.json.

npm install $(cat package.json | jq -r '(.devDependencies | keys) - .skipBump | .[]' | awk '{print $1 \"@latest\"}')

For production dependencies, it will bump as exact, excluding those marked by skipBump section in package.json.

npm install --save-exact $(cat package.json | jq -r '(.dependencies | keys) - .skipBump | .[]' | awk '{print $1 \"@latest\"}')

The version bump cannot be automated yet as it requires some manual work for lerna maintained packages.

Note: npm update will only update the deps in package-lock.json and to the semver specifier. When our iteration starts, we want to bump most dependencies to latest version even if they could be breaking.

Version considerations

We intentionally use @types/react@17 while we are using react@16, for VFC type and a few event handler mismatches.

At root level, we kept the following packages at lower version, as they are used by Jest and jest@27.5.1 (as of now) does not support ESM without an experimental flag:

• node-fetch@2.6.7 instead of node-fetch@3.2.1
• strip-ansi@6.0.1 instead of strip-ansi@7.0.1
• get-port@5.1.1 instead of get-port@6.1.2

Node.js 14 instead of 16 on Azure DevOps pipeline

We tried but could not enable npm@8 on Azure DevOps because of an issue when fetching ws@7.5.5, it would result in 404. Looks like Azure Artifacts is not able to "mirror" the NPM registry quickly enough. This specific version of ws@7.5.5 was released 6 months ago.

Falling back to Node.js 14 with NPM 6 works though.

I also tried p-defer and Azure Artifacts did not mirror the latest 4.0.0 version, it kept at 3.0.0. Compare the result below between NPMJS and Azure Artifacts.

compulim@ubuntu:~$ curl --silent https://registry.npmjs.org/p-defer | jq .time
{
  "modified": "2021-04-09T05:22:44.627Z",
  "created": "2016-10-21T05:14:31.906Z",
  "1.0.0": "2016-10-21T05:14:31.906Z",
  "2.0.0": "2019-03-17T12:27:03.960Z",
  "2.0.1": "2019-03-23T08:56:36.724Z",
  "2.1.0": "2019-04-03T05:21:21.381Z",
  "3.0.0": "2019-06-07T08:11:13.854Z",
  "4.0.0": "2021-04-09T05:22:42.429Z"
}

compulim@ubuntu:~$ curl -H "Authorization: Basic ..." --silent https://XXX.pkgs.visualstudio.com/_packaging/XXX/npm/registry/p-defer | jq .time
{
  "created": "2018-09-17T16:54:32Z",
  "modified": "2022-01-13T04:46:30Z",
  "1.0.0": "2018-09-17T16:54:32Z",
  "3.0.0": "2022-01-13T04:46:30Z"
}

When fetching p-defer-4.0.0tgz from Azure Artifacts:

compulim@ubuntu:~/$ curl -H "Authorization: Basic ..." --silent https://XXX.pkgs.visualstudio.com/_packaging/XXX/npm/registry/p-defer/-/p-defer-4.0.0.tgz | jq .
{
  "success": "false",
  "error": "Cannot find the file p-defer-4.0.0.tgz in package 'p-defer 4.0.0' in feed 'FuseNPM'",
  "reason": "Cannot find the file p-defer-4.0.0.tgz in package 'p-defer 4.0.0' in feed 'FuseNPM'",
  "innerException": null,
  "message": "Cannot find the file p-defer-4.0.0.tgz in package 'p-defer 4.0.0' in feed 'FuseNPM'",
  "typeName": "Microsoft.VisualStudio.Services.Packaging.Shared.WebApi.Exceptions.PackageNotFoundException, Microsoft.VisualStudio.Services.Packaging.Shared.WebApi, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",
  "typeKey": "PackageNotFoundException",
  "errorCode": 0,
  "eventId": 3000
}

Specific Changes

• Using node@16 for npm install and updated package-lock.json to version 2
• To reduce bumping effort, we added npm run bump scripts and marked packages as skipBump
• mime@3 no longer requires mime-wrapper, thanks https://github.com/marlon360/mime-wrapper for their efforts
• Added @ts-ignore as @types/web@0.0.54 is not updated for MediaTrackSettings.channelCount yet
  • Related to Missing MediaTrackSettings.channelCount and a few TypeScript-DOM-lib-generator#1290
• Added @ts-ignore for deprecated navigator.getUserMedia
• DLSpeech SDK production code should not use node-fetch
• Removed support of WSL1 version of Docker

• I have added tests and executed them locally
• I have updated CHANGELOG.md
• I have updated documentation

Review Checklist

This section is for contributors to review your work.

• Accessibility reviewed (tab order, content readability, alt text, color contrast)
• Browser and platform compatibilities reviewed
• CSS styles reviewed (minimal rules, no z-index)
• Documents reviewed (docs, samples, live demo)
• Internationalization reviewed (strings, unit formatting)
• package.json and package-lock.json reviewed
• Security reviewed (no data URIs, check for nonce leak)
• Tests reviewed (coverage, legitimacy)

[cwhitten]

Bumping these dependencies really adds 300k LoC?

[tonyanziano]

Bumping these dependencies really adds 300k LoC?

I think the bulk of it is package-lock.json diffs: