Hello everybody!
First of all, I want to express my deep gratitude for this project to all its participants.
Recently, I spoiled a lot of time for an unsuccessful attempt to update deprecated project dependencies. As I can see large number of vulnerabilities had accumulated in the existing version. But when I’d updated the Node js, I’d impacked with the incompatibility problems.
Could you tell - is there any plans for updating of the Sage with new dependencies? Or at least, could someone from the experienced participants write a small guide how to update the Sage dependencies with a new SASS (dart version), with new linters, loaders and a newer Node js?
I had to update several sage9 node dependencies.
The easiest approach is using a tool like david and gradually install new package versions,
then retrying the build and roll back if the build fails.
In theory minor-version updates shouldn’t introduce incompatibility issues.
I have a longer reply to this that I am going to finish and leave here, but for the sake of addressing this issue quick I want to make some clear:
Sage 9 builds perfectly fine if you use Node 10. I’d recommend using Volta to manage your Node versions.
Yes, there are vulnerabilities with a number of Sage 9’s dependencies, however, almost all of these have to do with dependencies that could be used for a production Node server (i.e. the type of thing Node was primarily created for). I’m sure this could be a concern if you are using BrowserSync on a public network, but for building dependencies, I do not think you need to be concerned. Yes, there is a jQuery vulnerability, but Sage doesn’t actually bundle jQuery. It marks it as external and lets WP enqueue it.
There are two webpack plugins: copy-globs-webpack-plugin and browsersync-webpack-plugin that I believe are deprecated, but they were built by Sage 9’s lead developer and were built primarily for Sage 9. If you try to replace these, you will not have a good time.
Sage 10 is Roots’ future solution to a number of Sage 9’s problems, but it is not immune to the issue of Node module vulnerabilties and deprecation. At the current time, I would not recommend switching to it since it is undocumented and that will leave you with less resources to work with than you have using Sage 9.
Yes, much better in my experience. I have found NVM is very slow and causes a lot of conflicts. Volta is written in Rust and does not cause conflicts in global dependencies.