Github user nickwallen commented on a diff in the pull request:
https://github.com/apache/metron/pull/1219#discussion_r223008966
--- Diff: metron-interface/metron-alerts/package.json ---
@@ -22,17 +22,17 @@
"@angular/platform-browser": "^6.1.6",
"@angular/platform-browser-dynamic": "^6.1.6",
"@angular/router": "^6.1.6",
+ "@ruffle1986/pikaday-time": "^1.6.1",
"@types/bootstrap": "^4.1.1",
"@types/jquery": "^3.3.4",
"ace-builds": "^1.2.6",
"ajv": "^6.5.1",
"angular-confirmation-popover": "^4.2.0",
"bootstrap": "4.0.0-alpha.6",
"core-js": "^2.4.1",
+ "date-fns": "^1.29.0",
"font-awesome": "^4.7.0",
- "moment": "^2.22.2",
"ng2-dragula": "^1.5.0",
- "pikaday-time": "^1.6.1",
--- End diff --
The core of this change is to move from moment.js to date-fns. Why is
pikaday-time suddenly an issue?
I am concerned about this pikaday dependency. I would rather see us
depending on larger, community supported projects like https://momentjs.com/,
rather than smaller, individual supported projects like @owenmean/pikaday (or
even your own fork @ruffle1986/pikaday-time).
Not only for continued support from obsolescence, but also because security
vulnerabilities are all too common and our UI is a large attack surface.
Larger communities means vulnerabilities are more likely to be uncovered and
patched.
I get the technical motivation here. We want to decrease the load time.
At the same time, we need to consider the organizations behind our dependencies
to ensure their long-term viability and support.
Is there not another way we can tackle the technical challenge here?
---
