Upgrade dependencies#2162
Conversation
and possible break everything
|
I probably wouldn't have done a PHP upgrade at the same time as all dependencies. This is a pretty big surface area for one PR. I would probably split it up as (in this order):
It's just that this is a lot to review, and when you change so many moving pieces at once ... I just feel like there's more chances for something to go wrong. I tend to feel more confident about smaller, more incremental PRs. Oh and I typically would separate PHP dep updates from JS ones, but that could be just me. |
|
I get what you are saying and am not totally against it, but still would prefer to get through this in one go. We did not maintain our dependencies correctly in the past which created this tech debt and splitting it up into the process described by you would create a lot of PRs with duplicated work and in sum as much for you to review as when it is done at once. I'm quite sure it would take much longer to finish the process as everyone would have to find time to go through new PRs again and again + running it on their instances (with one PR we can easily roll back to a known good state as no DB migrations are involved). Also, some of the versions (like Symfony and some JS dependencies) must be updated together. I know this is a lot, but after this we will keep things updated in a timely manner and with narrow-scoped PRs. |
Summary
This PR upgrades all dependencies, including PHP, Symfony and JS. Broken code was fixed, many (but not all) new deprecations cleaned and the functionality of the site restored with best effort. A summary of major version jumps is attached at the end of this text.
I'm asking you to
verify the state of the site. There are many things I and the tests can not check; like 2FA and OAuth authenticator integration (Google, Github, ...).
We need a graceful rollout of this branch from dev to prod-like environments to ensure all broken thing (which likely still exist) get caught.
Other fixes
While I was at it, I fixed smaller things which annoyed me ;)
Todo
to be revertedcommitsUpgrades
php:
php 8.3 -> 8.5
- notable new features:
- Asymmetric Visibility
- Property hooks
- New array_*() functions + array_first() and array_last() functions
- Fatal Errors (such as an exceeded maximum execution time) now include a backtrace
- Pipe Operator
- Uri class
- breaking changes:
- Using null as an array offset or when calling array_key_exists() is now deprecated
doctrine-bundle 2.18 -> 3.2
- https://github.com/greg0ire/DoctrineBundle/blob/4.0.x/UPGRADE-3.0.md
doctrine-migrations-bundle 3.7 -> 4.0
- https://github.com/derrabus/DoctrineMigrationsBundle/blob/4.0.x/UPGRADE.md
- https://github.com/doctrine/migrations/blob/3.0.x/UPGRADE.md
- need to run the
doctrine:migrations:sync-metadata-storagecommandoauth2-google 4 -> 5
- https://github.com/thephpleague/oauth2-google/blob/main/CHANGELOG.md
reflection-docblock 5.4 -> 6.0
- do we even use this?
2fa-backup-code, 2fa-bundle, 2fa-totp 7.5 -> 8.6
- https://github.com/scheb/2fa/blob/8.x/UPGRADE.md#7x-to-8x
- Priority of the two-factor authenticator has changed from 0 to -100
oauth2-keycloak 5.1 -> 6.1
- https://github.com/stevenmaguire/oauth2-keycloak/releases/tag/6.0.0
- nothing major changed
ux-autocomplete 2.18 -> 3.2
- https://github.com/symfony/ux-autocomplete/blob/3.x/CHANGELOG.md
- nothing major changed for us
ux-chartjs 2.18 -> 3.2
- https://github.com/symfony/ux-chartjs/blob/3.x/CHANGELOG.md
- nothing major changed for us
ux-twig-component 2.18 -> 3.2
- https://github.com/symfony/ux-twig-component/blob/3.x/CHANGELOG.md
- nothing major changed for us
webmozart/assert 1.11 -> 2.4
- https://github.com/webmozarts/assert/blob/master/CHANGELOG.md
- nothing major changed for us
phpunit 12.5 -> 13.2
- https://github.com/sebastianbergmann/phpunit/releases/tag/13.0.0
- nothing major changed for us
js:
babel/core 7.29 -> 8.0
- https://babeljs.io/docs/v8-migration/
babel/preset-env 7.29 -> 8.0
eslint/js 9.39 -> 10.0, eslint 9.39 -> 10.5
- https://github.com/eslint/eslint/releases/tag/v10.0.0
fontawesome-free 6.7 -> 7.3
- https://fontawesome.com/changelog
- Icon canvases now render at a consistent fixed width. To use the default rendering from v6, add our new fa-width-auto class.
stylistic/eslint-plugin 2.13 -> 5.10
- https://github.com/eslint-stylistic/eslint-stylistic/releases/tag/v5.0.0
- nothing major changed for us
symfony/stimulus-bridge 3.2 -> 4.0
- https://github.com/symfony/stimulus-bridge/releases/tag/v4.0.0
- nothing major changed for us
symfony/webpack-encore 5.3 -> 7.1
- https://github.com/symfony/webpack-encore/blob/main/UPGRADE.md
- needed changes were applied
chart.js 3.8 -> 4.5
- https://www.chartjs.org/docs/latest/migration/v4-migration.html
- not directly used by us (Symfony handles it)
globals 15.15 -> 17.7
hotkeys-js 3.13 -> 4.0
- https://github.com/jaywcjlove/hotkeys-js/releases/tag/v4.0.0
- no notable changes
- do we even use this?
sass-loader 16.0 -> 17.0
- https://github.com/webpack/sass-loader/releases/tag/v17.0.0
- no notable changes
simple-icons-font 14.15 -> 16.24
- https://github.com/simple-icons/simple-icons-font/releases/tag/15.0.0
- https://github.com/simple-icons/simple-icons/releases/tag/16.0.0
- no notable changes
webpack-cli 5.1 -> 7.0
- https://github.com/webpack/webpack-cli/blob/main/CHANGELOG.md
- only used by Symfony
GL HF