TLDR: fresh-node now defaults to Node.js 20, and introducing the "fresh-npm" security feature.
Get started: https://gerrit.wikimedia.org/g/fresh#fresh-environment Changelog: https://gerrit.wikimedia.org/g/fresh/+/HEAD/CHANGELOG.md Commits: https://gerrit.wikimedia.org/r/q/project:fresh+is:merged Hi all, Fresh 24.05 is upon us! *What's new?* The fresh-node22 command has been introduced by James Forrester, and is now open for early testing. This uses the "releng/node22-test-browser" Docker image that is also available to Jenkins jobs in WMF CI. Standalone libraries and tools are welcome opt-in and switch their CI jobs in Zuul config if they pass under node22. The default fresh-node command was updated from Node.js 18 to Node.js 20, similarly re-using the same Docker images that we use in WMF CI. These feature the same Debian Linux version, same pre-installed packages, and versions thereof. This makes it as easy as possible to reproduce CI failures locally. Vice versa, if you use Fresh in local development, you're unlikely to encounter failures in CI. You can continue to develop on older versions via the fresh-node18 and fresh-node16 commands. The fresh-node14 command has been removed (unsupported since last year <https://github.com/nodejs/Release#end-of-life-releases>). This release includes the first contribution to Fresh by Marius Hoch (WMDE), who fixed a bug <https://gerrit.wikimedia.org/r/c/fresh/+/1034847> affecting projects with a space in their working directory name. Thanks Marius! Finally, this release introduces the experimental "fresh-npm" feature. You can opt-in by cloning the repo and running `bin/fresh-install --secure-npm`. This will shadow the npm command in the shell on your main workstation, and avoids accidentally running potentially insecure scripts outside Fresh. Other npm commands are unaffected. It can be bypassed as-needed by specifying the full path to npm, which is also printed at the end of any fresh-npm help or error message. I previously maintained this under the name "secpm" in a local patch <https://gerrit.wikimedia.org/r/c/fresh/+/675346> since 2021. It has served myself and a handful of others well. I hope it can be useful to others! To report issues or browse tasks, find us on Phabricator at https://phabricator.wikimedia.org/tag/fresh/. *What is Fresh?* Fresh is a fast way to launch isolated environments from your terminal. These can be used to work more securely and responsibly <https://timotijhof.net/posts/2019/protect-yourself-from-npm/> with Node.js-based developer tools, especially those installed from npm such as ESLint, QUnit, Grunt, Webdriver, and more. Example guide: https://www.mediawiki.org/wiki/Manual:JavaScript_unit_testing. Get started https://gerrit.wikimedia.org/g/fresh#fresh-environment -- Timo Tijhof, Principal Engineer, Wikimedia Foundation.
_______________________________________________ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
