Legacy Angular App - Package Updates
NOTE: This advice relates to the legacy Angular frontend, which we are deprecating and is included for reference purposes until that work is complete.
Supervision frontend packages are managed by Yarn
Note: Don’t run npm updates. They will appear to apply as they use the same package.json but the application isn’t set up for them
Depending on which part of the application you are updating you will need to use a different docker-compose definition
- Supervision: yarn-supervision
- UI Tests: yarn-protractor-e2e
- UI Tests Updated: yarn-protractor-e2e-updated
Supervision Angular and Ngrx Updates
Angular is capable of applying code migrations as it updates, but to do so must be updated using the ng command
E.g.
docker-compose run --rm yarn-supervision ng update @angular/core@12 @angular/cli@12 @ngrx/store@12
Note: you are likely to need to add the --force option to overcome warnings
Finding why a package is required
why can be used to find what is using a dependency.
E.g
docker-compose run --rm yarn-supervision why tar
The # separator is used between packages name splits and their dependencies. So in the example below @angular\cli depends on pacote which depends on tar version 6.1.0 but it’s not instantly obvious at a glance
Updating a package or it’s dependencies
Updating a package is done by targeting an update of the top level package. If you are updating the version specified in the package.json use add
E.g.
docker-compose run --rm yarn-supervision add @fortawesome/angular-fontawesome@0.9
If you want to update but keep the existing restrictions, or are already at the latest version and just want to update it’s dependencies use upgrade
E.g.
docker-compose run --rm yarn-supervision upgrade node-sass
Removing a package
If you want to remove a package that is no longer in use or being replaced use remove
E.g.
docker-compose run --rm yarn-supervision remove mydatepicker
Fixing security vulnerabilities
Often when resolving package based security vulnerabilities, the out of date package will be several dependencies deep. In this case you need to identify the top level package (the one listed in the package.json) that must be updated in order to update the dependency
First run why
There will often be multiple versions in use so look for the specific version with the vulnerability (usually the oldest one)
Then find the top level package or packages that are using it
If they are not at the current latest version it is worth trying to update them first, but if this is not simple then run an upgrade on all necessary packages and run a build to make sure Supervision still compiles
If the package is related to features that are only used by developers (such as hot reloading changes) then run those locally as well, anything else should be tested in CI