We are pleased to announce a new preview release for you to try out. YUI 3.11pr1 is available via Yahoo! CDN, a downloadable archive, or on npm. Our YUI Library staging website has also been updated to reflect the changes in this release. Given that this is a preview release, please take note of the testing advisory below.
Purpose of This Preview Release
For this sprint we have some fundamental changes to Attribute and Base, which could benefit from some validation against real-world implementations. Getting an early PR out and widely adopted gives us a couple of weeks to react to anything which comes out of the PR process due to these low level changes.
Attribute and Base Changes
There are two relatively low level changes to Attribute and Base/BaseCore that help improve performance and stability.
- Base now adds all ATTRS up the class hierarchy at once, instead of a class at a time (Issue / Pull Request).
changeevents now bypass the Event sub-system if there are no potential listeners (Issue / Pull Request).
Here are some performance numbers, to highlight the potential benefits of these changes:
new Base() with no init listener x 12,914 ops/sec
myBase.set() with no listeners x 82,616 ops/sec
new Base() with no init listener x 40,308 ops/sec
myBase.set() with no listeners x 256,048 ops/sec
new Base() with no init listener x 75,828 ops/sec
myBase.set() with no listeners x 1,217,522 ops/sec
Both of these changes carry with them some element of risk, but they have the potential to provide performance improvements with only a small degree of backwards compatibility issues. One of the primary reasons for this PR is to test these changes, so we encourage you to download this release and test them out.
New Paginator and DataTable Paginator
We are pleased to announce a new component, Paginator. It is released with a few examples and full test coverage. It's built to be lightweight and flexible and can be used on the server or client side. Since there are so many unique styles and use cases to paginators, the paginator view has been stripped out and can be implemented in any fashion you like. Take a look at the examples to get a head start.
Hot on the heels of Paginator is the much anticipated DataTable Paginator. DataTable Paginator mixes directly into DataTable and is ready to go with a few settings defined as it has its own Model, View, and Templates. Everything is decoupled enough however to take in a new Model, View and/or Template and render something completely different.
There are also a number of bug fixes and updates across the board in this release, including a new Paginator module.
There are also a few DataTable bugs that were addressed in this preview release. Look here for the full list of changes. Let Tony (@apipkin) know what you think of the changes in DataTable as well as any plans you have to use Paginator.
Ryan also added an
isNodeOnscreen() method in ScrollInfo that returns
true if the given node is within the visible bounds of the viewport,
false otherwise. He improved the performance of
getOnscreenNodes(). He also fixed a bug that caused
getOnscreenNodes() to return incorrect information when used on a scrollable node rather than the body.
Ryan was on a roll with changes for this release:
- In Y.Tree the
Tree#traverseNode()methods now throw or log informative error messages when given a destroyed node instead of failing cryptically (or succeeding when they shouldn't).
- He added
Tree.Node#depth(), which returns the depth of the node, starting at 0 for the root node.
- Also added was
Tree.Sortable#sort(), which sorts the children of every node in a sortable tree.
Tree.Node#isRoot()method now returns
falseon destroyed nodes instead of causing an exception.
Tree.Sortable.Node#sort()methods now accept a
deepoption. If set to
true, the entire hierarchy will be sorted (children, children's children, etc.).
- In Tree.Sortable the Sort comparator functions are now executed in their original context. When the sort comparator lives on the tree, its
thisobject will be the tree instance. When it lives on a node, its
thisobject will be the node. When specified as an anonymous function in an options object, its
thisobject will be the global object.
There were fixes in AsyncQueue, Calendar (thanks Arnaud Didry), Color, DataTable, updates to Handlebars, IO, JSONP, and Promise. Hungarian language support was added to AutoComplete, Console, and Date (thank you Gábor Kovács). You can find a complete list of changes for this release on GitHub as well as the change history rollup. We had a total of 381 commits by 14 authors since YUI 3.10.3.
A Call for Testing
Since many of these changes are either new or may have unforeseen issues, we recommend that you take this preview release and try it out in a staging environment with your own applications. It is very important that we hear about any issues you run into so that we can fix them in a timely manner before the 3.11 GA release. If you do encounter an issue, please file a ticket.
We've already been testing this preview release across our target environments and we've encountered a few issues that you should be aware of in your own testing.
Test failure: ArraySort on Safari (4.0) / Linux [ 2.3 ] in naturalCompare() should sort mixed strings and numbers: Values in position 5 are not the same. Expected: 100 (number) Actual: 100 (string)
Test failure: DataTable: Paginator on Internet Explorer (8.0) / Windows XP in Paginator test rowsPerPage === null shows all rows: There are not 100 rows in the table Expected: 100 (number) Actual: 0 (number)
Test failure: test clicking on the controls: Values should be the same. Expected: C:30 (string) Actual: A:0 (string)
As you try out this preview release, pay particular attention to the Attribute and Base changes, the new Paginator module, and the new methods in Y.Tree. With your help, we can make the upcoming 3.11 GA release the best one yet!
Update: There was an issue with the downloadable
.zip package that prevented successful extraction that has now been fixed.
We are releasing YUI 3.10.3 today to fix a
.swf vulnerability that was inadvertantly reintroduced in YUI 3.10.2. Any project which is self-hosting the YUI 3.10.2
io.swf file should upgrade to YUI 3.10.3 to resolve the vulnerability. Any project which is not self-hosting the YUI 3.10.2
io.swf file is not affected by the vulnerability.
We released YUI 3.10.1 last month to correct a
.swf vulnerability. Unfortunately within the 3.10.2 release cycle, one of the older vulnerable
.swf files (
io.swf) was inadvertently reintroduced to the source tree and distributed in our latest 3.10.2 release in the npm and downloadable
YUI 3.10.3 replaces the vulnerable
.swf with the correct patched file, and no other code changes have been included with this release. Note: This is not a new vulnerability, just a reintroduction of an older
.swf file that contained the original vulnerability.
Full details of the original vulnerability are available in the security bulletin.
Delete the File
If you are hosting
io.swf but not using it in your application, simply delete the file to resolve the vulnerability.
Replace the Vulnerable Files
If you host and use this functionality, replace
io.swf with the patched file provided below.
|Version||Replacement File||Old MD5||Patched MD5|
Plan To Remove All Flash-Based Features
In the future, we plan to remove all Flash-based features from the yui3 repo and instead host the source code in a separate yui3-swfs repo. This will allow projects continued access to the functionality via a compile-yourself and host-yourself model, while removing these problematic features from the core project. We are requesting community feedback on this topic on the mailing list.