Manage vis-network via foreign-resources#99
Merged
Conversation
Declares the bundled vis-network library through MediaWiki's foreign-resources mechanism, so source URL, version, license, homepage, and integrity (SRI) hash are recorded explicitly and future upgrades flow through manageForeignResources.php. - extension.json gets a top-level ForeignResourcesDir attribute pointing at resources/lib, the convention recognised by manageForeignResources.php's --extension flag. - A new resources/lib/foreign-resources.yaml declares vis-network 8.5.5 as a 'tar' entry pointing at the npm tarball, with a sha384 integrity matching the upstream tarball, plus purl, license, homepage, authors, and version. The dest map extracts the standalone UMD vis-network.js plus both LICENSE files (Apache-2.0, MIT) for compliance. - The library moves from resources/lib/vis-network.js to resources/lib/vis-network/vis-network.js to match the file layout manageForeignResources.php's update action produces. Bytes unchanged; runtime behaviour unchanged. The ext.network ResourceModule's script path is updated. - The two LICENSE files are vendored alongside the library. - README.md gains an 'Upgrading vis-network' subsection under Development that documents the make-sri / update / verify / make-cdx workflow. - CI's static-analysis job runs 'manageForeignResources verify' to catch drift between the on-disk file and the declared integrity hash. The current vis-network version (8.5.5) is unchanged here. With the infrastructure in place a version bump becomes mostly a YAML edit plus regression-testing the new behaviour.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bring the bundled
vis-networklibrary under MediaWiki's foreign-resources management. The 1.5 MB blob atresources/lib/vis-network.jspreviously had no metadata; now its source URL, version, license, homepage, authors, and SRI hash are declared explicitly, future upgrades flow throughmanageForeignResources.php, and CI fails if the on-disk bytes drift from the declared integrity.extension.jsongains a top-levelForeignResourcesDir: "resources/lib"attribute (the conventionmanageForeignResources.php --extension Networkrecognises).resources/lib/foreign-resources.yamldeclaresvis-network8.5.5 as atype: tarentry against the npm tarball (registry.npmjs.org/vis-network/-/vis-network-8.5.5.tgz) with sha384 integrity,purl, license, homepage, and version. Thedestmap extracts the standalone UMD JS plus both LICENSE files (Apache-2.0 and MIT, since the package is dual-licensed).resources/lib/vis-network.js→resources/lib/vis-network/vis-network.js, matching the layoutmanageForeignResources updateproduces. Pure 100%-similarity git rename — bytes unchanged, runtime behaviour unchanged.ext.network'sscriptspath is updated accordingly.resources/lib/vis-network/LICENSE-APACHE-2.0andresources/lib/vis-network/LICENSE-MIT, extracted from the upstream tarball.README.mdgains an "Upgrading vis-network" subsection under "Development" documenting themake-sri/update/verify/make-cdxworkflow.manageForeignResources verify --extension Networkto catch any future drift between the on-disk bytes and the declared integrity hash.The vis-network version (8.5.5) is unchanged in this PR. With the management infrastructure in place a future version bump becomes mostly a YAML edit plus regression-testing the new release's behaviour.
Test plan
php maintenance/run.php manageForeignResources verify --extension Networksucceeds (the on-disk bytes match the declaredintegrity)php maintenance/run.php manageForeignResources update --extension Networkround-trips: re-downloads the tarball, extracts the same files into the same locations, verify still passescomposer phpunit— 36/36vendor/bin/phpcs -p -s— cleanvendor/bin/phpstan analyse— No errorsvendor/bin/psalm— No errors found