v2.1.1

[JJ-8]

Let's update the main branch so it will have the latest Hedgedoc included, as well as some small fixes.
Since there are no major features, I think v2.1.1 is fine.

[XeR]

Good idea. I'd like to upgrade dependencies and fix vulnerabilities in dependencies before publishing a new version.

I can't seem to be able to upgrade graphql-upload.
We can upload the package to version 15 which fix the vulnerable dependency.

They changed the way the module is imported, so we need to change src/index.ts:

diff --git a/api/src/index.ts b/api/src/index.ts
index 2b01cf7..b286f47 100644
--- a/api/src/index.ts
+++ b/api/src/index.ts
@@ -2,7 +2,7 @@ import simplifyPlugin from "@graphile-contrib/pg-simplify-inflector";
 import PgPubsub from "@graphile/pg-pubsub";
 import crypto from "crypto";
 import express from "express";
-import { graphqlUploadExpress } from "graphql-upload";
+import graphqlUploadExpress from "graphql-upload/graphqlUploadExpress.mjs";
 import {
   makePluginHook,
   postgraphile,

But then, yarn will complain about types.
One of the issues (jaydenseric/graphql-upload#282) talk about this specific issue.
The fix is to change an option in tsconfig, but it breaks other dependencies.

I tried this, but that doesn't seem to solve the issue :

diff --git a/api/tsconfig.json b/api/tsconfig.json
index 012107d..7d4b405 100644
--- a/api/tsconfig.json
+++ b/api/tsconfig.json
@@ -71,5 +71,11 @@
   },
   "ts-node": {
     "files": true
+  },
+  "graphql-upload": {
+    "compilerOptions": {
+      "maxNodeModuleJsDepth": 10,
+      "module": "nodenext"
+    }
   }
 }

Feel free to give it a try.

As for the front-end, there are two dependencies with vulns : @quasar-cli with no upgrades and eslint-plugin-graphql that appears to be replaced with @graphql-eslint/eslint-plugin -- but I did not manage to upgrade it either.
I will try harder tomorrow.

On a different topic, since the development pace slowed down, should we keep using a dev branch ? Wouldn't it be better for us to merge directly to main and add a tag for new versions ?
This would make pull requests less confusing and dependabot actually useful.

[JJ-8]

@XeR, I think the vulnerable (dev) dependencies are not a big issue for CTFNote.

On a different topic, since the development pace slowed down, should we keep using a dev branch ? Wouldn't it be better for us to merge directly to main and add a tag for new versions ?
This would make pull requests less confusing and dependabot actually useful.

I think this is a good idea. But then we need to update CONTRIBUTING.md since we state there that the target should be the dev branch.
Also, what are we going to do with the dev branch? Delete it? Or leave it and it will become older than main branch?

[XeR]

LGTM (tested with CVE-2022-24434 fix)

[XeR]

But then we need to update CONTRIBUTING.md since we state there that the target should be the dev branch.

Fair point. We'll send a PR to main once this one is merged.

Also, what are we going to do with the dev branch? Delete it? Or leave it and it will become older than main branch?

Yes. I think it does not make sense to keep the dev branch if we do not use it any more.
We can always create a new dev branch in the future if we ever need it.

Ideally I'd like to :

1. get this PR merged
2. change CONTRIBUTING.md
3. make a 2.1.1 tag on main
4. update both ical PR to point to main
5. delete dev

Did I forget anything ?

[JJ-8]

I think everything is covered with your list.

[JJ-8]

@XeR, I think you missed something your list: I prefer to also publish a Github release (https://github.com/TFNS/CTFNote/releases) after tagging the version. Do you agree?

[XeR]

Oh that's nice. I had no idea we had those !
I put the releases link back on, thanks.