Over the last week I’ve been heads-down on core Dasher work, but with very little visible result. Here’s why.
Early last week I received an email telling me that it was time to dig into Dasher’s use of 3rd party components and make sure there weren’t any security issues. (This isn’t something unusual – all our products go through this, and many of our research projects, too.) As anyone working on web development projects will know, it’s important to go through from time to time to reduce the technical debt that accumulates due to the use of old libraries and components that have been deprecated, superseded or just plain improved. Old open source libraries present a huge security risk for companies, as hackers scan for vulnerabilities they can exploit, and it’s pretty straightforward to understand what libraries and components a web-based tool uses (in the front-end, at least).
When I looked at Dasher I realised it had been way too long since I’d gone through and updated some of the older components. Among the worst offenders was GridStack, which was at v0.4.0 while the latest release of that package is v4.2.6. Holy moly! But it wasn’t alone… I took a look at the results of the ‘npm outdated’ command, and it was a vision of hell.
Not all of these components were still being used: some had already been replaced while others had been used for one-off technology explorations. In any case, there was plenty of low-hanging fruit, but also plenty of climbing that was needed to reach the fruit on the higher branches, too.
Anyway, a week later and I’m slowly coming up for air (this metaphor doesn’t really work with the fruit thing, but anyway). The process was painful but necessary, and I do feel lighter now. There’s still some work to do... for instance, we’re using an old version of Rollup, that I really need to get around to updating (it’s a build tool, so not something that’s a major issue in terms of security).
I also want to take the time and upgrade Bootstrap, which we use for our overall page layout. One issue relating to this is our use of the Glyphicons Halflings library – that used to be bundled with Bootstrap – for all Dasher’s icons. We were definitely hitting the limits of having a reduced set of iconography available, as you would see from things like our icon for the “skeletons” feature, which was actually an ear of corn. Sigh. From looking at more recent versions of Bootstrap I became aware of the Bootstrap Icons project, which can actually be used separately from Bootstrap and – it turns out – with older versions of Bootstrap, too. Yay!
So after a week of doing a lot of nasty rework – all for zero external change, aside from finding a few obscure bugs that got squashed – I spent the day upgrading our use of icons to remove the Glyphicons dependency completely and rely solely on Bootstrap Icons. This will pave the way for a proper upgrade of Bootstrap at some point, when I have the time and motivation. Here’s a fun GIF showing the old with the new.
Again, this is a research project, so this stuff really isn’t in any way critical, but it does feel nice to give Dasher a quick makeover after making sure its internals are in good working order.