Track upstream and periodically update dependencies

[evrifaessa]

We have some dependencies other than the Composer packages we're using.

We should keep them updated and find a way to be notified whenever they release a new update.

Including but not limited to:

• CKEditor 4 (see Consider using CKEditor 5 #1245 too)
• RedBean
• tfpdf
• PdoSessionHandler
• php-gettext
• hardcoded libs inside some server managers
• CSRF-Protector-PHP

also theme dependencies (also see #978):

• Bootstrap
• jQuery
• Font Awesome

We should also document the process for updating each of these so the new maintainers will have an easier time. Some of these can (and if possible, should) be replaced with automated package managers. We can even drop some of them entirely.

[gOOvER]

I think dependabot can handle this also. Never worked with dependabot, but found an example for Nextcloud:

nextcloud/mail@d84bb4a

[andpavlenko]

If migrate to Doctrine, then RedBean and PdoSessionHandler will be no longer needed. Problem of updates will solved.
Lot of work, but can try. ;)

[BelleNottelling]

Many of these dependencies are also not maintained or even because we have had to hack them for BoxBilling due to issues on our own end (redbeanPHP for example)

@andpavlenko
Do you have a discord?
There's some stuff I'd like to loop you into

[andpavlenko]

@BenNottelling Yesterday I've first time install Discord. Only for Boxbilling. ))

[andpavlenko]

At first look, a lot of hardcode related to frontend could to move in package.json

[BelleNottelling]

@andpavlenko
Awesome!
Can you join the server?
https://boxbilling.org/discord

[timothygwebb]

Andrey, Could you give more detail as to what frontend code is in package.json? If there is no frontend code in package.json are you requesting that we move some to it? If the second is your request most likely the answer will be no due to the actual purpose of a package.json file and what their intended uses are for. Does that make sense? If not then I would suggest we answer the question of what package.json file you are editing and clearly define the intended use for the package and its associated dependencies. In most cases a package.json file is only seen when working with a Node or npm package. So I am curious to find out what package we have hardcoded boxbilling information into. Thank you Timothy Webb

…

On Mon, Mar 28, 2022 at 3:38 PM Andrey Pavlenko ***@***.***> wrote: At first look, a lot of hardcode related to frontend could to move in package.json — Reply to this email directly, view it on GitHub <#1244 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD24K7JFAS5WSU72C6LNXBDVCIDEVANCNFSM5R2KGT6Q> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[evrifaessa]

If the second is your request most likely the answer will be no due to the
actual purpose of a package.json file and what their intended uses are for.

What are those "intented uses"? It's pretty common to grab your front-end assets from npm. That's a lot easier to keep them up-to-date.

https://fontawesome.com/docs/web/setup/packages
https://getbootstrap.com/docs/5.1/getting-started/download/#package-managers
https://jquery.com/download/#downloading-jquery-using-npm-or-yarn

[timothygwebb]

If the second is your request most likely the answer will be no due to the
actual purpose of a package.json file and what their intended uses are for.

What are those "intented uses"? It's pretty common to grab your front-end assets from npm. That's a lot easier to keep them up-to-date.

https://fontawesome.com/docs/web/setup/packages
https://getbootstrap.com/docs/5.1/getting-started/download/#package-managers
https://jquery.com/download/#downloading-jquery-using-npm-or-yarn

Thanks for the clarification. I am good with this. Just wanted to make sure we were not hard coding to fix something broken in our package.json when the file is strictly used for npm depends and settings.