Includes a YAML config file for our lab, and documentation on how to
create a custom config for another Selenium grid.
A workflow will run tests nightly in the Shaka lab, using a
self-hosted runner with access to our private grid.
The workflow can also be triggered manually by maintainers to test a
PR in the lab. This will report status back to the PR.
The depswriter.py tool from google-closure-library was generating
deprecation warnings. This switches to a newer, rewritten version
called google-closure-deps.
Minimist is vulnerable to prototype pollution, and is no longer
receiving updates. Details of the vulnerability can be found here:
https://github.com/advisories/GHSA-xvch-5gv4-984h
This updates our indirect dep on json5 to remove its minimist dep.
Jimp, Karma, and WD all rely on v0 of mkdirp, which uses minimist.
This forces them to use v1 of mkdirp, a rewrite which doesn't use
minimist.
In #3991, I changed the syntax of our colors to a modern rgba syntax.
For example, rgba(255, 255, 255, 0.85) would become rgba(255 255 255 /
85%). However, less v3 seems not to understand that properly, and
performs division on the last two parts, resulting in output of
rgba(255 255 3%), which is indeed invalid.
This fixes the issue by upgrading to less v4, which understands the
new rgba syntax and leaves it alone. The output for that will now
match the input.
To work around an issue with less v4, this uses a prerelease version
with a fix for https://github.com/less/less.js/issues/3693 . See also
https://github.com/tomas/needle/issues/391
This doesn't affect any release branches, since #3991 hasn't been
cherry-picked.
Closes#4027
These projects have vulnerable dependencies, but are not being
properly maintained. This replaces both with forks that have upgraded
their deps.
This brings the NPM audit vulnerability count from 6 to 0.
This updates the jsdoc fork to one based on the latest jsdoc. (The
fork adds features for tutorial sorting.)
We also have an in-repo fork of the default jsdoc template from 2019.
The newer default template no longer includes the same dependencies,
so three deps we used to get transitively from jsdoc are now explicit
at the shaka-player level: open-sans-fonts, code-prettify, and
color-themes-for-google-code-prettify. This is appropriate, since the
dependency comes from our in-repo fork of the default template.
This upgrade brings our NPM audit vulnerabilities from 10 to 6.
The new version requires additional configuration for less syntax, and
has new default rules we were out of compliance with.
I disabled rules about avoiding explicit vendor prefixes (such as
"-webkit") because we are not using any auto-prefixer tools. Other
violations have been fixed:
- kebab-case for element ids
- quotes around URLs
- double quotes instead of single quotes
- disable class selector pattern matching for MDL (external)
- use modern rgb/rgba syntax
- no quotes on font families
- no long-hand when short-hand will do
This brings our NPM audit vulnerabilities from 20 down to 10.
Downgrade less to v3. v4 is failing on macOS for some reason. See
less/less.js#3693
This also makes some less/CSS changes that are useful for future
upgrades:
- wrap all calculations in calc(), which is required in less v4
- remove unneeded @transparent variable
Finally, this fixes an erroneous error message that said "extern
generation failed" instead of "CSS compilation failed".
Closes#3981
This updates the compiler and closure library to the latest releases.
This required a few small tweaks:
- Drop custom extern for WebCrypto (now built into the compiler)
- Remove require() in cea parser, only used in `throws` annotations
- Hack around a typing issue in a fake version of TextTrack in tests
Most dependencies are not used in Shaka Player itself, but in our
build and test infra or in our demo app. Still, GitHub reported 29
potential vulnerabilities in these deps, and NPM reported 37.
The changes below being NPM's audit report from 37 down to 24
vulnerabilities.
Detailed updates:
- Dropped explicit deps for transitive dependencies that we no longer
need to update for ourselves:
- ua-parser-js (via karma)
- Dropped because we no longer need them:
- karma-ie-launcher
- Updated to latest versions:
- awesomplete
- core-js
- dialog-polyfill
- htmlhint
- jimp
- karma*
- less
- pwacompat
- rimraf
- tippy.js
- which
- Updated as far as possible without code or config changes in Shaka:
- mux.js
- stylelint*
- Still needs an update:
- *babel*
- eslint
- eslint-config-google
- google-closure-compiler
- google-closure-library
Some of the vulnerabilities stem from stylelint, babel, and others
that haven't been updated yet, so follow-up work is needed to address
those with breaking updates.
mux.js is actually used at runtime (optional), so it was only updated
to the latest non-breaking release.
Joey Parrish
dependabot[bot]