[jira] [Commented] (METRON-1796) [UI] Migrate off moment.js

Fri, 05 Oct 2018 06:58:42 -0700 


    [ 
https://issues.apache.org/jira/browse/METRON-1796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639842#comment-16639842
 ] 

ASF GitHub Bot commented on METRON-1796:
----------------------------------------

Github user nickwallen commented on a diff in the pull request:

    https://github.com/apache/metron/pull/1219#discussion_r223008966
  
    --- Diff: metron-interface/metron-alerts/package.json ---
    @@ -22,17 +22,17 @@
         "@angular/platform-browser": "^6.1.6",
         "@angular/platform-browser-dynamic": "^6.1.6",
         "@angular/router": "^6.1.6",
    +    "@ruffle1986/pikaday-time": "^1.6.1",
         "@types/bootstrap": "^4.1.1",
         "@types/jquery": "^3.3.4",
         "ace-builds": "^1.2.6",
         "ajv": "^6.5.1",
         "angular-confirmation-popover": "^4.2.0",
         "bootstrap": "4.0.0-alpha.6",
         "core-js": "^2.4.1",
    +    "date-fns": "^1.29.0",
         "font-awesome": "^4.7.0",
    -    "moment": "^2.22.2",
         "ng2-dragula": "^1.5.0",
    -    "pikaday-time": "^1.6.1",
    --- End diff --
    
    The core of this change is to move from moment.js to date-fns.  Why is 
pikaday-time suddenly an issue?
    
    I am concerned about this pikaday dependency.  I would rather see us 
depending on larger, community supported projects like https://momentjs.com/, 
rather than smaller, individual supported projects like @owenmean/pikaday (or 
even your own fork @ruffle1986/pikaday-time).
    
    Not only for continued support from obsolescence, but also because security 
vulnerabilities are all too common and our UI is a large attack surface.  
Larger communities means vulnerabilities are more likely to be uncovered and 
patched. 
    
    I get the technical motivation here.  We want to decrease the load time.  
At the same time, we need to consider the organizations behind our dependencies 
to ensure their long-term viability and support.  
    
     Is there not another way we can tackle the technical challenge here?



> [UI] Migrate off moment.js
> --------------------------
>
>                 Key: METRON-1796
>                 URL: https://issues.apache.org/jira/browse/METRON-1796
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Tamas Fodor
>            Assignee: Tamas Fodor
>            Priority: Minor
>
> Remove Moment.js and replace with another smaller library.
> Moment.js requires us to import the entire library vs. a few necessary 
> modules.
> Moment.js can prevent bundlers from supporting tree-shaking.
> By removing Moment.js, we can decrease our overall bundle size and prevent 
> issues with tree-shaking in the future.
> Here you can find the discussion on the mailing list:
> https://lists.apache.org/thread.html/2e4fafa4256ce14ebcd4433420974e24962884204418ade51f0e3bfb@%3Cdev.metron.apache.org%3E



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to