Roots Discourse

Sage Deprecated Dependencies

Hello everybody!
First of all, I want to express my deep gratitude for this project to all its participants.

Recently, I spoiled a lot of time for an unsuccessful attempt to update deprecated project dependencies. As I can see large number of vulnerabilities had accumulated in the existing version. But when I’d updated the Node js, I’d impacked with the incompatibility problems.

Could you tell - is there any plans for updating of the Sage with new dependencies? Or at least, could someone from the experienced participants write a small guide how to update the Sage dependencies with a new SASS (dart version), with new linters, loaders and a newer Node js?

Thank you in advance to everyone who responds.

I’d recommend trying Sage 10 or copy the Sage 10 build process into Sage 9

I had to update several sage9 node dependencies.
The easiest approach is using a tool like david and gradually install new package versions,
then retrying the build and roll back if the build fails.
In theory minor-version updates shouldn’t introduce incompatibility issues.

I have a longer reply to this that I am going to finish and leave here, but for the sake of addressing this issue quick I want to make some clear:

  • Sage 9 builds perfectly fine if you use Node 10. I’d recommend using Volta to manage your Node versions.
  • Yes, there are vulnerabilities with a number of Sage 9’s dependencies, however, almost all of these have to do with dependencies that could be used for a production Node server (i.e. the type of thing Node was primarily created for). I’m sure this could be a concern if you are using BrowserSync on a public network, but for building dependencies, I do not think you need to be concerned. Yes, there is a jQuery vulnerability, but Sage doesn’t actually bundle jQuery. It marks it as external and lets WP enqueue it.
  • There are two webpack plugins: copy-globs-webpack-plugin and browsersync-webpack-plugin that I believe are deprecated, but they were built by Sage 9’s lead developer and were built primarily for Sage 9. If you try to replace these, you will not have a good time.
  • Sage 10 is Roots’ future solution to a number of Sage 9’s problems, but it is not immune to the issue of Node module vulnerabilties and deprecation. At the current time, I would not recommend switching to it since it is undocumented and that will leave you with less resources to work with than you have using Sage 9.
4 Likes

Oh, is volta similar to nvm?

Yes, much better in my experience. I have found NVM is very slow and causes a lot of conflicts. Volta is written in Rust and does not cause conflicts in global dependencies.

Thanks a lot for the quick answer!