apollo icon indicating copy to clipboard operation
apollo copied to clipboard

Published 20 hours ago verified publisher icon apolloconfig

Upgrade vendor libraries to avoid potential security issues

Open nobodyiam opened this issue 3 years ago • 11 comments

Is your feature request related to a problem? Please describe. The vendor libraries used in apollo are out-dated(Bootstrap v3.3.5, jQuery 2.2.4, AngularJS v1.5.1, etc), which means potential security issues, e.g. https://snyk.io/test/npm/bootstrap/3.3.5

Describe the solution you'd like Upgrade the vendor libraries to recent versions

nobodyiam avatar Oct 07 '21 11:10 nobodyiam

I know this might be a lot of work but why do not upgrade from AngularJs to Angular? According to this blog post (https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c) LTS will end December 31, 2021.

I think it would be a great idea to move forward by changing to Angular since this will make Apollo more future proof.

DiegoKrupitza avatar Oct 07 '21 18:10 DiegoKrupitza

@DiegoKrupitza I think this is a good idea and we need someone to take a look and estimate the effort before doing the migration.

nobodyiam avatar Oct 08 '21 00:10 nobodyiam

There are a few resources available at the official angular site (https://angular.io/guide/upgrade) but to really do this you need someone who knows the frontend by hard, since a lot can go wrong 😅

I'm not an angular expert but I would suggest to not mix AngularJs and Angular since this may be become way to complex over time.

When upgrading to Angular I would also think it will make sense to upgrade to Typescript as well.

DiegoKrupitza avatar Oct 08 '21 06:10 DiegoKrupitza

I think the upgrade from AngularJs to Angular should be an issue by its own, since it looks like this will be a major upgrade.

Is there a reason why the frontend for the Apollo portal is inside the static content of the backend? Wouldn't it be more suitable to extract the frontend into a own folder. This would decouple the angular frontend from the java backend and make it more modular. This may be helpful in case of scaling, since right now every time you deploy a Apollo portal you always have a angular frontend included, but this might not be useful and a waste of resources (if you deploy 2-3 portals to load balance/fault tolerance/... you may just need 1 angular frontend)

DiegoKrupitza avatar Oct 08 '21 06:10 DiegoKrupitza

The only reason to put the static contents inside apollo portal is to ease the deployment process, so that user doesn't need to start a standalone server to serve those static contents. It does look like a major upgrade from AngularJs to Angular, so maybe we could first upgrade the AngularJs version to solve the potential security issues.

nobodyiam avatar Oct 09 '21 00:10 nobodyiam

Angular is getting less attention in China, would it be more appropriate to choose react + hook + ts or vue3 + ts for dashboard refactoring?

NICEXAI avatar Oct 19 '21 03:10 NICEXAI

Using a familiar technology stack also allows more people to participate in the development and maintenance of the dashboard.

NICEXAI avatar Oct 19 '21 03:10 NICEXAI

Angular is getting less attention in China, would it be more appropriate to choose react + hook + ts or vue3 + ts for dashboard refactoring?

The major benefit of a transition from AngularJs to Angular is that you do not really have to rewrite everything.

If we switch from AngularJs to React/Vue we need to rewrite all the functionalities.

DiegoKrupitza avatar Oct 19 '21 16:10 DiegoKrupitza

Angular is getting less attention in China, would it be more appropriate to choose react + hook + ts or vue3 + ts for dashboard refactoring?

The major benefit of a transition from AngularJs to Angular is that you do not really have to rewrite everything.

If we switch from AngularJs to React/Vue we need to rewrite all the functionalities.

I am a front-end developer, and I have carefully checked all the features of dashboard, maybe there are not as many features as I thought. Most of the time redevelopment is much faster than refactoring

NICEXAI avatar Oct 20 '21 03:10 NICEXAI

For front-end developers, writing pages is a very simple thing, far less work and much more efficient than refactoring.

NICEXAI avatar Oct 20 '21 03:10 NICEXAI

Angular is getting less attention in China, would it be more appropriate to choose react + hook + ts or vue3 + ts for dashboard refactoring?

The major benefit of a transition from AngularJs to Angular is that you do not really have to rewrite everything. If we switch from AngularJs to React/Vue we need to rewrite all the functionalities.

I am a front-end developer, and I have carefully checked all the features of dashboard, maybe there are not as many features as I thought. Most of the time redevelopment is much faster than refactoring

I created a new Issue that only focuses on Upgrading from AngularJs to X. Personally I am open to any framework that has at least a bit of popularity. But I think this should be a community decision so maybe the PMC can help out finding a good fit for everyone

PS: lets move the discussion to #4051

DiegoKrupitza avatar Oct 20 '21 07:10 DiegoKrupitza