Update dependencies to latest

[dennisroche]

Description

• Added yarn.lock
• Updated to react 16.3
• Updated to webpack 3.11
• Fixed dependency warnings
• Removed obsolete dependencies

Motivation and Context

Fixes #4495

How Has This Been Tested?

Running locally in Chrome and using current automation test suite.

Checklist

My PR contains...

• No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
• Dependency changes (any modification to dependencies in package.json)
• Bug fixes (non-breaking change which fixes an issue)
• Improvements (misc. changes to existing features)
• Features (non-breaking change which adds functionality)

My changes...

• are breaking changes to a public API (config options, System API, major UI change, etc).
• are breaking changes to a private API (Redux, component props, utility functions, etc.).
• are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
• are not breaking changes.

Documentation

• My changes do not require a change to the project documentation.
• My changes require a change to the project documentation.
• If yes to above: I have updated the documentation accordingly.

Automated tests

• My changes can not or do not need to be tested.
• My changes can and should be tested by unit and/or integration tests.
• If yes to above: I have added tests to cover my changes.
• If yes to above: I have taken care to cover edge cases in my tests.
• All new and existing tests passed.

[heldersepu]

Bamm! checks have failed

I get the idea behind the update to latest dependencies
but migrating to yarn should be a separate discussion and PR

[dennisroche]

@heldersepu fair call on yarn. i'll revert that. it is just nice to a have a deterministic resolution of dependencies between builds.

[heldersepu]

You got a lot of failing tests...

• I think they are all related to react-markdown version 3.3.0. Maybe leave that one as it was?
• Also there is a new version of deep-extend that address a Vulnerability:
  https://snyk.io/vuln/npm:deep-extend:20180409

[dennisroche]

@heldersepu I tried reverting react-markdown to @2.5.0 however tests still fail.

I think the component isn't rendering in the test as markdown looks correct in when running locally. Perhaps with the bump to enzyme-adapter-react-16 is the common point of failure.

[dennisroche]

Already have bumped deep-extend to 0.5.1 which contains the fix for the vulnerability (unclechu/node-deep-extend#39)

[heldersepu]

I do not see your push reverting react-markdown or updating deep-extend

[dennisroche]

I reverted the react-markdown change as test results didn't change.

[heldersepu]

push the revert let's see what Travis CI shows...

the latest shows:

  264 passing (761ms)
  12 pending
  25 failing

[heldersepu]

Yep, still see the same amount of errors...
I did test on my local only updating react-markdown and was getting a bunch of those:
Markdown Script Sanitization

[heldersepu]

Why are you removing this?

[dennisroche]

Mistakenly removed. I'll restore it.

[dennisroche]

restored

[heldersepu]

You are actually downgrading here...

[dennisroche]

That happened when I reverted from yarn. I'll fix.

[dennisroche]

fixed

[heldersepu]

Is karma not needed anymore?

[dennisroche]

It didn't appear to be in use; checked for usage and only found mocha testing.

[webron]

Can't speak for the other dependencies (leaving those to @shockey) but updating to React 16 may not be feasible right now.

[dennisroche]

i thought that i found the issue the missing commonmark peer dependency.

i'll rollback to react@15.6.2.

[heldersepu]

After latest commits we still see the same on Travis:

  264 passing (711ms)
  12 pending
  25 failing

If I was you I will close this PR and start a new one, there I will push one dependency change at a time that way you see where the UnitTests are breaking.

[shockey]

Hi @dennisroche! Thanks for this PR.

Added yarn.lock

Officially, our projects use npm. I have absolutely nothing against using or supporting Yarn here, but for simplicity's sake I think it's important that we stick with one or the other.

Looking at the package-lock.json vs yarn.lock discussion over at Yarn (yarnpkg/yarn#3614), the case of having both npm and yarn lockfiles present is clearly an unresolved issue: neither tool will honor the other's lockfile.

We did introduce a package-lock.json last year (#3160), but then ran into a nasty npm issue (npm/npm#16839) so we walked back the addition (0ab6fde).

All that being said: I welcome the reintroduction of lockfiles (they are clearly a good idea), but we should stick with npm instead of moving just one thing over to Yarn, specially when supporting Yarn will either be at the expense of the npm experience (npm users get no lockfile) or at the expense of consistency (npm and yarn users install from different, possibly differing, lockfiles). I'd be fine with a package-lock.json in this PR.

Feel free to propose a wholesale switch to Yarn in another PR, though 😉

Updated to react 16.3

Our React dependency has been a constant thorn in the project's side... here's some context.

Swagger-UI is not a React library: we expose a regular function that, behind the scenes, mounts a React 15 application at a specified DOM element. This means that we need to bring our own React with us, so we can run in non-React contexts (for example, https://github.com/shockey/swagger-ui-angular4/blob/master/package.json#L26).

This is great for most folks:

• Non-React projects, or folks not using a front-end framework at all, don't need to know/care that we use React
• React 15 users have our React dependency deduced with their own, so everything uses the same React

It breaks down with projects using React 16 and beyond (or 14 and earlier, for that matter): the top-level React in their application freaks out (something like Only a ReactOwner can have refs) when a different copy of React (ours) creates a component tree within the user application's component tree.

Changing our React version to 16 would just shift who we support: folks on 15 and earlier would suddenly have the problems described above. That would be a breaking change, which we'd like to avoid.

I've discussed this at length elsewhere in the issue tracker: see #3158, #3000 (comment), #4232 (comment), #3934 (comment), #3955 (comment).

Updated to webpack 3.11
Fixed dependency warnings
Removed obsolete dependencies

Great!

---

I'll add any other thoughts as a code review.

[shockey]

Is there a specific reason that this was removed?

[shockey]

Is there a specific reason that this was removed?

[dennisroche]

@shockey thanks for the context on react and project history. i admit with this PR I did jump into deep end without discussing the changes.

• the change to yarn was reverted early (not sure if you saw that). yarn's update interactive tooling made it easy but since found npm-check (https://github.com/dylang/npm-check).
• i would like to reintroduce the package-lock.json as deterministic builds are great 👍. that nasty npm bug is resolved and in npm@^5.1 the package.json is now able to trump package-lock.json, so the experience much less of a headache
• i'll drop back to react@15.6 given that is a breaking change. i didn't think it would be as 15.6 was transitioning version for 16.
• react-addons-perf support was dropped in 16 (i think... anyways, that will be coming back)
• i'll make sure to keep the deep-extend@^0.5.1 as contains the fix for a vulnerability

i'm going to close this PR for now and make the above changes.

thanks for the time guys.

[shockey]

@dennisroche no worries, we appreciate the enthusiasm 😄 there’s really no way you could’ve known all of that context ahead of time. In the future, if you’re unsure about the impact of a change that you’d like to make, feel free to drop me an email (address in profile).

Looking forward to the PRs - thanks again!

[dennisroche]

@shockey finally pushed the new update, see #4543