-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3.4.9 breaks an execution order #3278
Comments
duplicated #3271 |
I noticed the same issue with SheetJS/js-xlsx All UTF8 characters will have their bytes reversed when exporting files with an uglified bundle. |
@alexlamsl Is there anything you can do for us here? |
I confirmed the pull request "enhance conditionals (#3243)" made this bug happen. |
@alexlamsl Is there any plans to release a minor version fixing that? That is bug with high priority to solve. And, thanks @kawanet for posting the scenario where this issues occurs! Here we are having the same problem. |
@pedrofurtado Given the age of this issue, I doubt there is any interest at all to do anything |
A workaround, for now, is to disable "conditionals" optimization when using UglifyJS in version 3.4.9. Suggestion from: #3288 (comment) |
Releasing a new version and then disappearing is bad form. Please follow up with your community after the release. If you don't have time to do that, better not to do the release in the first place. |
This bug has caused us a lot of headache. It makes special characters have their bytes reversed when saving them to Firebase, but only if Firebase falls back to long polling, which made this bug happen only sometimes for our users. We couldn't reproduce it ourselves and it took a long time to track this down. I knew that it was due to some updated modules and I updated them a few more times in the hope that a fix would have been released in the meantime, but to no avail. Now I see that this serious bug has already been filed for two months! (#3245) I have to say that I am disappointed that such a widely used module lets this happen, especially on a patch release. At least a quick revert of the breaking commit would have been in order. |
Github users have an inflated sense of entitlement. Don't blame the people who generously volunteer their time producing and maintaining open source software. No one can be expected to support software for free forever. Ultimately it's up to each project to test their applications. There is no guarantee. All software has bugs. Projects come and go. You have the freedom to disable any or all minification options, lock in any version, fork and maintain this or any other project (license permitting), or switch to an alternative. If anything this exercise points to a deficiency in the node package ecosystem. There is no way to flag issues with certain versions of packages other than to file a bug report with its author. There ought to be a way in |
@kzc While I agree with you in most parts, when the community finds an issue in your software, at least a response like "Thanks for letting me know, but I'm busy for the rest of the year. Sorry about that" or "Please submit a PR and I will merge it" would help in understanding why there is no movement in this issue. I don't think anyone expects to be served freely with fixes for the remainder of their live, but no response at all frustrates people. We actually implemented a version locking approach into our own dependency management tool to allow us to better handle situations like this in the future. |
OSS is a thankless task. I don't fault any package maintainer for walking away without explanation. Instead, I appreciate their effort. "Community" is an overrated term. People only used this software because it was better than the alternatives at the time. There are software producers and free downloaders. If users took a minute to read the uglify issues they could have seen and easily avoided the problems and used any of the workarounds listed above. |
Hi, and welcome to GitHub!
When software maintainers, open source or not, don't act in a professional manner, I think it is appropriate to take the following steps, in the following order:
This is mostly true. I have been an OSS maintainer of various projects for many years. However, I don't agree that it's a thankless task. When we release software, we take on various responsibilities. Among them: ensuring that the software works as intended for its users, and generally being a good steward of our communities. Interpretations of these responsibilities vary. However, this much is clear: if professional users depend on a software product that is being released and maintained in an unprofessional manner, then this either needs to be corrected by improving the release process, or the users need to find alternative software. And again, I can't speak for others, but when I no longer have time to contribute to a project, I do my best to leave it in the hands of someone capable who will continue to look after its community. At this point I'm going to be moving away from uglify-js to https://github.com/terser-js/terser and I recommend that any others who are frustrated with this issue do the same.
I appreciate results more than misplaced effort. We're having this conversation today because the maintainers of uglify-js screwed up, and it's not the first time. This is not entitlement, it is a simple statement of cause and effect as it relates to my livelihood as a professional software developer. |
Comments like that drive people away from wanting to contribute to OSS. You are using this software for free and are owed nothing. @alexlamsl did an outstanding job as maintainer. He redesigned and simplified the minify API for
Wow, you really went out on a limb there recommending an |
Thanks for all your contributions, both here and on |
And thanks for your insightful comments too! |
@kzc I'm the author of some popular open source projects, too. I don't have the time to maintain them all, so I got in touch with the community and took care of finding new primary maintainers for the projects. If there would be a change that breaks a project for many of its users, then I would at least put in 5 minutes to revert the change. That's all it takes. I wouldn't have to actually fix the broken change. In my opinion you do have at least some responsibility for the lost time of other people that you cause by breaking your open source project. They put trust in you and you should be responsible with this trust. This does not contradict with me being thankful for the open source work that other people do. Btw: We switched to |
This is not true in our case. The way the bug happened to us and wasn't reproducible had me suspect other components first. I suspected Vue.js and Firebase as likely culprits and only when a coworker of mine could reproduce the problem because of an internet hickup I was able to see that it was caused by reverse code order in production. |
@neelance We'll have to agree to disagree. Users are responsible for reviewing the issues of any package before upgrading and to continue monitoring the issues once they've upgraded. All users would be well advised to lock down their package versions in yarn and npm. All software has bugs - whether the project is maintained or not. Users of this or any other OSS project are owed nothing and are not forced to use the software. They are responsible for testing their own applications after upgrading any of their packages. The LICENSE file is there for a reason. |
I'm currently thinking a lot about this and I am somewhat confused... I don't want to say that the author of a project owes something. But on the other hand it doesn't feel right to me to just say every behavior is equal. Are you saying that there should be zero trust? Even if someone does a great job like you said @alexlamsl did, I should still not trust him? How can we build advanced projects without such trust? Especially in the NPM world it is quite infeasible to track all issues of all transitive dependencies. |
I wouldn't phrase it exactly that way, but yes, people should not blindly trust any package or package upgrade. There's always been bugs in this and every other OSS project. You are ultimately responsible for testing your own applications. A million or so people per day downloaded The introduction of this bug was not intentional. It was created in an effort to add a new optimization. All new features have the possibility of introducing a bug. Uglify is highly customizable and offers granularity to enable or disable any optimization according to each user's risk tolerance.
It's feasible. I do it for my own projects. You have to ability to lock down any package version in the hierarchy or even swap them out with custom versions using |
I confirm regression in 3.4.8 -> 3.4.9 The same problem with execution order. |
fixes mishoo#3245 fixes mishoo#3257 fixes mishoo#3260 fixes mishoo#3269 fixes mishoo#3271 fixes mishoo#3278 fixes mishoo#3309 fixes mishoo#3319 fixes mishoo#3321
msgpack-lite wip branch's test fails when minified with Uglify 3.4.9.
It also passes when minified with Uglify 3.4.8 however.
It looks 3.4.9 breaks something about the order to execute.
JavaScript input
The following function is found at https://github.com/kawanet/msgpack-lite/blob/master/lib/buffer-lite.js
The
uglifyjs
CLI commandUglify 3.4.8 🆗
Uglify 3.4.9 🆖
It looks
e[h++] = o
is moved to wrong positions.The text was updated successfully, but these errors were encountered: