Epic - November Dependency Updates

[joewhitsitt]

We should try to review and merge in dependency updates on a monthly basis. Until this is automated more, here is a guide:

• Issue summary should contain a list of the dependabot pulls in scope for reference, however, the actual work should be done in a single PR to minimize composer conflicts.
• Dependencies related to our frontend build tools (not executed on the websites) are usually safe to merge as-is but might cause issue with other packages. Check travis build for messages related to blt frontend.
• As a separate PR is created with the dependency update, the related dependabot version should be closed referencing the monthly PR.
• Periodically check locked dependencies for new versions. Make notes about why a dependency was/is locked in the repo Readme.
• Review the changelog for each version we are jumping to and the versions in-between. Make note of certain functionality in our codebase that is using the functionality for testing instructions later.
• Use https://github.com/uiowa/uiowa#updating-dependencies as a guide to test for update hooks, configuration changes and commit. This command is helpful if there are a lot of configuration changes across feature/site splits: https://github.com/uiowa/uiowa/blob/main/blt/src/Blt/Plugin/Commands/ConfigSplitCommands.php
• If a particular dependency is too big to go out along with others, split it off from the PR as a separate issue and introduce the "why" in parking lot.
• Update hooks and requires cache rebuild type updates may require off-hours deployment.
• Once this issue is completed, copy these notes to the next month's issue and introduce it in parking lot.

Updates in-scope

• Bump drupal/address from 1.10.0 to 1.11.0 #5647
• Bump drupal/field_group from 3.2.0 to 3.4.0 #5902 (quite a few changes from 3.2 to 3.4 but should be able to update. https://www.drupal.org/project/field_group/releases/8.x-3.3, https://www.drupal.org/project/field_group/releases/8.x-3.4)
• Bump drupal/smart_trim from 1.3.0 to 2.0.0 #5901 (D10 compatibility)
• Bump drupal/views_bulk_operations from 4.1.4 to 4.2.1 #5900 (V2 action API, Php 7.3 no longer supported, compatibility for 7.4, Drupal 9.4 or higher)
• Bump drupal/inline_entity_form from 1.0.0-rc12 to 1.0.0-rc14 #5760 (quite a few migration errors fixed with https://www.drupal.org/project/inline_entity_form/releases/8.x-1.0-rc13)
• Bump drupal/siteimprove from 1.11.0 to 1.12.0 #5648
• Bump breakpoint-sass from 2.7.1 to 3.0.0 #5644 (https://github.com/at-import/breakpoint/releases/tag/v3.0.0 - Dropped Ruby, Eyeglass, Bower, and Sache support)
• Bump drupal/entity_reference_revisions from 1.9.0 to 1.10.0 #5649 (https://www.drupal.org/project/entity_reference_revisions/releases/8.x-1.10 D10 compatibility and HAL module has been deprecated)
• Bump acquia/memcache-settings from 1.1.0 to 1.2.0 #5642 (Should not activate under Cloud Next)
• Bump drupal/metatag from 1.19.0 to 1.22.0 #5763 (New APIs. A few known issues with https://www.drupal.org/project/metatag/releases/8.x-1.20 which may carry forth into 1.22)
• Bump drupal/menu_block from 1.7.0 to 1.10.0 #5948 - Will require replacing or removing a patch.

Possible locked dependency updates

• Some November dependency updates not handled by dependabot #5949
  • https://www.drupal.org/project/diff/releases/8.x-1.1 (released after our php 8.1 upgrade) - Update Diff module to stable release  #5847
  • https://www.drupal.org/project/lb_direct_add/releases/2.0.0 (thanks @pyrello!) - Test to make sure webmaster can not see the configuration for lb_direct_add Editor user permission role can access some configuration options #5609
• Update to stable release of easysvg. #5950 https://packagist.org/packages/kartsims/easysvg#2.4 (woot!)

[briand44]

Postponing this until October since we are updating core and php in Sept

[makurj]

I would like to drive/pair on this.

[joewhitsitt]

going to look into the locked dependencies while @makurj pulls together and reviews the dependabots.

This is an example of a frontend dependency that we just to need test whether our frontend process still works and there aren't percy issues I think #5644 it would not be in-scope for this issue

[pyrello]

Need to set permissions based on #5609

I think that the intention behind #5609 was to prevent non-admins from accessing the direct add stuff, so actually I think just switching to that new version will just accomplish that without setting a permission.

[joewhitsitt]

Added the locked packages that could be in-scope for this issue. The rest are still waiting or need to remained locked. Noticed that acquia/blt-multisite could be updated to a stable version https://github.com/acquia/blt-multisite/releases/tag/v1.0.0

[joewhitsitt]

If we have a separate PR (e.g. for drupal/diff) for example, here are some adjustments for the readme.md:

Package	Reason
drupal/smart_date	Need to wait for upstream issue to be part of stable release or we need to patch it #5664
acquia/blt-travis	No stable release to pair with blt 13.5. See acquia/blt-travis#3

The modules that are updated as part of this issue could be removed from the table.

[joewhitsitt]

@joewhitsitt Would we want to go to 1.10 instead of 1.8 https://www.drupal.org/project/menu_block/releases/8.x-1.10, primarily bug fixes

Looks like a good value add for php 8.1:
https://git.drupalcode.org/project/menu_block/-/compare/8.x-1.7...8.x-1.10?from_project_id=3161&straight=false

[pyrello]

@joewhitsitt Would we want to go to 1.10 instead of 1.8 https://www.drupal.org/project/menu_block/releases/8.x-1.10, primarily bug fixes

Looks like a good value add for php 8.1: https://git.drupalcode.org/project/menu_block/-/compare/8.x-1.7...8.x-1.10?from_project_id=3161&straight=false

Looks like @dependabot agrees: #5948

[pyrello]

I'm working on the lb_direct_add update.

[pyrello]

I was going to add the easysvg package update to #5949, but decided to hold off since I'm not sure how to test it and was hoping that @joewhitsitt could guide me on that.

[pyrello]

I thought I might be able to sneak #5951 in, since it involves a dependency update, but it requires more work to transition our homespun view block filters to the new one provided by ctools_views. Therefore I'm not adding it to this list.

[joewhitsitt]

Looks like all of the in-scope work is done on this. Credit to @pyrello and @makurj for this work.

Once this issue is completed, copy these notes to the next month's issue and introduce it in parking lot.

Based on recent discussions and how this issue was addressed, I am not going to create next month's issue. Team thoughts about how to work these in to our planned work without falling behind?

[pyrello]

I think that the epic was helpful in keeping track of the updates to be done. Maybe we just need to rewrite the notes a bit?

[pyrello]

We should try to review and merge in dependency updates on a monthly basis. Until this is automated more, here is a guide:

• Review the outstanding dependency updates and add a list of current ones below.
• Dependencies related to our frontend build tools (not executed on the websites) are usually safe to merge as-is but might cause issue with other packages. Check travis build for messages related to blt frontend.
• Each @dependabot PR can be worked on separately. Each dependency PR you merge will cause merge conflicts with all the other ones. As long as you don't alter the branch (e.g. merge in main, push a commit), you can fix the merge conflicts by running @dependabot rebase.
• If a @dependabot PR does require some type of modification (e.g. removing a patch, updating incompatible code), it is okay to make those changes directly in relevant PR. However, it is a good idea to wait until you have merged all the other "easy" dependency PRs first because you will lose the ability to use @dependabot rebase to have the PR's merge conflicts resolved.
• Periodically check locked dependencies for new versions. Make notes about why a dependency was/is locked in the repo Readme.
• Review the changelog for each version we are jumping to and the versions in-between. Make note of certain functionality in our codebase that is using the functionality for testing instructions later.
• It can also be helpful to review the git diff comparison between the old version and the new one to see how extensive the code changes are and to get an idea of what things you might need to test.
• Use https://github.com/uiowa/uiowa#updating-dependencies as a guide to test for update hooks, configuration changes and commit. This command is helpful if there are a lot of configuration changes across feature/site splits: https://github.com/uiowa/uiowa/blob/main/blt/src/Blt/Plugin/Commands/ConfigSplitCommands.php
• Dependency PR's with update hooks or requiring a cache rebuild may require off-hours deployment. If this is the case, add the appropriate label to the PR.
• Once this issue is completed, copy these notes to the next month's issue and introduce it in parking lot.

Updates in-scope

[joewhitsitt]

I am okay with this. Thanks @pyrello for taking the time to tweak it.

[joewhitsitt]

Created #5965. Closing this as #5951 should be addressed separately.