Bump signature_pad to v4 to fix undefined is not an object race condition
#68
Conversation
agilgur5
changed the title
There was a problem hiding this comment.
doesn't seem to be iOS 15 specific, rewritten
an iOS 15 issue
per szimek/signature_pad#329, this seems to occur on multiple devices and browsers and doesn't seem to be related to iOS 15 specifically, so I've rewritten the description to be more generic
not sure that the upgrade fixes this either?
fixes szimek/signature_pad#329
I've rewritten this as well because fixes is a keyword in GitHub issues and it made this PR pop up in that issue as a "may fix", which is incorrect.
That being said, as szimek/signature_pad#329 (comment) points out, there actually hasn't been a confirmation that this is fixed in v4.
I did go ahead and investigate myself though, and if the root cause is the same race condition, then it should indeed have been fixed by szimek/signature_pad#481. But I'm not sure what the root cause is, this is just from a cursory reading of the related issues and PRs.
PR does not address breaking change
Per my in-line comment, this PR does not address a breaking change in signature_pad and as such cannot be merged. When making upgrade PRs, especially SemVer major ones, please make sure to check the changelogs and address them (and if no changes are required, stating that in your PR and why you believe that to be so can be very helpful to reviewers).
| @@ -50,7 +50,7 @@ | |||
| "react-dom": "0.14 - 16" | |||
| }, | |||
| "dependencies": { | |||
| "signature_pad": "^2.3.2", | |||
| "signature_pad": "^4.0.0", | |||
There was a problem hiding this comment.
This upgrade is a breaking change, but this PR does not make any other changes outside of a version upgrade.
Per the changelog, they are incompatible versions, however, as the SemVer major tag change suggests.
The EventEmitter change is breaking and affects the onEnd and onBegin callbacks in this library/component. Those are currently in idiomatic React and don't work as smoothly/straightforward against addEventListener etc APIs. Will need to think of the optimal way to implement that, or require direct signature_pad usage or something, but at least one other internal change must be made in addition to the upgrade.
It may very likely require a major version change of react-signature-canvas if our API has to change in order to accommodate the EventEmitter upstream change. TBD on that
agilgur5
added
scope: dependencies
|
Thanks for the thorough commentary. It seems we're a bit stuck in this case; the fix is trivial but if it requires a rewrite of the APIs and a major version bump in this library that becomes a lot of work. Can I suggest an alternative proposal? This library currently relies on a version of signature_pad released over 4 years ago. The fix for the issue in that library which we need is 4 lines of code (excluding comments). I will attempt to get a PR onto the If that's not possible because of the upstream package not wanting to put out a new minor for an old version, what would you think to forking that package with the fix applied to the |
|
I think a better option would be to update signature_pad to v4 and use the onBegin and onEnd props to add events to signature_pad something like: componentDidMount () {
this._sigPad = new SignaturePad(this._canvas, this._excludeOurProps())
if (this.props.onBegin) {
this._sigPad.addEventListener("beginStroke", this.props.onBegin);
}
if (this.props.onEnd) {
this._sigPad.addEventListener("endStroke", this.props.onEnd);
}
this._resizeCanvas()
this.on()
}That way you get the most secure version without needing to maintain it yourselves and your API doesn't change. 🎉 You could also add |
|
That change looks pretty simple; do you think it's the only change required to upgrade to v4? |
|
That is the only breaking change to the inputs. The other big breaking change is the structure of the data returned from |
old
|
|
imho monkey patching is no different than forking. It means you will need to continue to maintain and fix bugs without downstream support. I understand the downsides of bumping the major version but sometimes that is the best way to move forward. |
|
I agree with @UziTech that the monkey patch and fork mechanisms are not ideal. However the PR onto v2 of the It seems that updating this library to use On that subject, my preference is for a fork. A fork gives more overall clarity as to what's happening, and makes any maintenance commitments of said fork clearer to consumers of the library. I'd suggest that given the age of signature_pad v2, it's unlikely that a lot of issues will come about that people are unaware of, and this one fix seems the clearest one to backport to v2. I'd be willing to fork (once we have a resolution we should also close this PR as we may as well open a new one to handle moving the dependency to a fork) |
It wouldn't be for this one issue. There have been many fixes since v2. And it would be to make sure any future fixes get in as well. |
monkey-patching vs forking
That's implied and understood of course. Monkey-patching is just perhaps a better temporary resolution than forking. We have been discussing temporary solutions this whole time as upgrading to v4 is not something that is going to happen overnight given its significant complexity (multiple breaking changes), and some users may be satisfied by a temporary solution in the meantime.
@M1ke it may offer "more clarity" in one sense of the word, but in another, such as in the sense of "trust" in an ecosystem with increasing amounts of supply chain attacks (and poor permissions against them), it can offer less of that. I wouldn't want users to be suspicious of I do agree about less risk of mistakes too though, namely as an issue with two canvases popped up, and monkey-patching in that scenario would have to be a bit more complicated. We could also use bumping major versions and the impact on the ecosystem
I don't disagree with this sentiment generically, but also as with any library, one can expect that downstream libraries will take time to upgrade. This becomes significantly more complicated when compatibility issues arise. And if those compatibility issues are complex, as is the case here (multiple breaking changes), one can further expect that the upgrade process will take exponentially longer as a result. I think it would be worthwhile to add some concrete data here. Based on NPM download count, Also for reference, this was one the first open-source repos I maintained and I back-ported multiple patches between In light of all those facts, I would think one could say that the one sentence rejection of a simple backport PR seems overly simplistic. other breaking changes not responded to@UziTech could you respond to my questions around the other breaking changes from my previous comment? I think that would be to the benefit of our shared userbase, and I can make a PR to the changelog to make any necessary corrections. Specifically these two blocks:
EDIT: Added one PR szimek/signature_pad#616 (comment) so far to fix the changelog |
|
I'm not sure I'm the one you need to convince. I am just helping maintain the latest version of signature_pad. If you want to maintain a fork of v2 that is on you and if you want to maintain it in the repo https://github.com/szimek/signature_pad you will have to convince @szimek. |
|
For what it's worth I'm still convinced the best option is to update to signature_pad v4 and release a major update. Most of your users will stay on the old version but that is not your problem (for most of them it is no problem at all). They will update when the time is right for them. And for the vast majority of them there shouldn't actually be any breaking changes (assuming a successful wrapper is created for event functions). Also NPM is not the only way signature_pad is used |
stats
Yes, I'm aware of that. I've even helped track down some CDNJS issues in Also the download counts from jsDeliver actually even further bolster my point; old versions
I don't necessarily agree with this statement. If most of your users are on an old version, then your library has an upgrade adoption issue. That is still an issue within the purview of maintainers. (one of the reasons why maintainers have too much responsibility).
Given that no one's stepped up to do this so far, its high complexity as already discussed, and that I've been the only major contributor for years, this is expecting quite a lot.
To be clear, back-porting is not the same as forking. Back-ports are very common in open-source, from kernels like the Linux Kernel to OSes to browsers to Node.js itself. For the larger components, these often have the concept of LTS (long-term support). Many JS libraries may not have LTS, but still back-port fixes, including, as mentioned above, other breaking changes not responded toI still haven't gotten answers to these questions despite multiple asks 😕 😐
^This was merged, so I guess this has been self-answered now.
^I'm still not sure the answer to this back-porting fixes to v2
That's fine to have that policy, but this is moving the goalposts. You were arguing for a certain side and did yourself reject @M1ke 's PR to the v2 branch in szimek/signature_pad#601. You didn't leave that up to @szimek initially, but are only now saying that. For what it's worth, I very much agree with @M1ke 's point in szimek/signature_pad#601 (comment) that this is a very simple back-port that will fix a bug for 90% of users, because 90% of users have yet to upgrade to v4. Back-porting generally is not that difficult (unlike this upgrade with multiple breaking changes, some of which were not properly documented) and @M1ke literally already made the PR for this work. If @szimek wants to add me as a maintainer to back-port fixes to v2 for the time-being, I can certainly do that. And can help merge PRs to v2 from @M1ke or anyone else. In terms of "trust", I already maintain many open-source libraries and am already a long-time contributor to the ecosystem ( I am not able to add myself, so that is currently outside of my control (and publishing releases to NPM is also a separate permission). The only thing we can do is create a fork, which as mentioned above, will cause trust/security issues in the community, so that is not a particularly good option either. |
agilgur5
changed the title
undefined is not an object race condition
|
Comment level: heroic! Seriously, let's get this done. Get the PR into V2. If not, I'll fork signature pad V2 so @agilgur5 doesn't have to seem like the one breaking cohesiveness in an ecosystem they're much deeper into than I am; then I'll pr this repo to change the dependency. Hopefully we don't need to. But this bug will be annoying such a range of users, especially those using error logging tools getting all that noise - we'll be doing a service by fixing it, even if we can't fix it in the "ideal" way |
The only ones I know of are beholden to sponsors. Last I checked signature_pad (as well as this library) doesn't have any of those. I'm not telling you can't or shouldn't support your users that stay on older versions, I'm saying you don't have to and there will be very few complaints if you don't.
It requires the same amount of effort to maintain. And again it isn't me you need to convince if you would like to maintain a "backport" for v2 on szimek/signature_pad.
That is because no one knows the answers. If you would like to look through the repo to figure out the answers no one is stopping you. Honestly I haven't used signature_pad on a daily basis for almost a year now so I have to reread the code to remind myself how it works every time there is an issue or pr. @szimek walked away from the project a long time ago. I think the best bet is for one or both of you two to fork it and maintain a separate copy. It is pretty much in maintenance mode now just getting bug fixes whenever anyone finds a bug. It has been feature complete for a while.
Mine as well. I don't have access to add people or upload to npm. |
regarding maintenance
Off the very top of my head I can think of at least two:
and, as you observe, neither is There are certainly more, that's just ones that immediately come to mind as backports that I have literally used myself in the past (in this case, I remembered these raising issues while I was maintaining TSDX).
maybe. this is personal opinion. whether that is best practice I think is a separate story. But yea, absolutely, OSS relies on volunteers so it should be expected that not every best practice is followed, since, hell, paid developers at corporations don't even do that. Both And, to be clear, it's also not that I expect you to backport things to v2 yourself -- we've got two contributors right here after all -- it's just that I think that would have been significantly less effort to merge a few PRs and make one release than this entire thread, IMO.
Just from personal experience, I disagree. As I said above, cherry-picking doesn't actually tend to be that difficult (except for big ranges, ofc). It's still a pain to make releases, but if those are automated or batched into a single release, as we could do here, that decreases the load quite heavily.
Especially in the case where there are only bugfixes, this generally makes it pretty easy to cherry-pick as it is roughly 1-to-1 (the TS portions complicate it a bit though, but these don't change that many lines at all). regarding other breaking changes
Er, well... you brought this up yourself.... so I would say that me asking for clarification (x3) about your own statement which contradicts your own changelog is a pretty reasonable question, no?? That changelog entry and those PRs were written by you as well, so I also think it makes sense to ask the author when they themselves bring it up, no?? I did look through for my first changelog PR, this one was a lot more confusing though, and the contradiction of the changelog just served to confuse me more. Like legit confused here, and that is what I am trying to convey in my tone/wording (not sure if that comes out well over text).
Understood, I have to do that with various libraries of mine too. I do see that you respond to issues/discussions pretty often (and much respect to you for that too!! 👍 💯 one of the least appreciated pieces of being a maintainer ❤️ ) since I occasionally hop in myself. next steps
Yeaaa that's kind of why I was taken aback when you kicked the can to @szimek, if we're being real here 😅
Ah, ok. I thought @szimek would've granted you those permissions since you're pretty much the only maintainer and he hasn't been around. That would've been great to know initially too as a short-circuit, since the request to backport effectively becomes impossible without @szimek .
Sounds like a plan then, appreciate your responses here @UziTech . (and how incredibly quick you respond!)
Since we do have to go with this method, let's use my fork, just so that users have more trust if they see
yea seeing #90 brought me back here
and thank you, I try to explain things in meticulous detail for all readers and posterity! (which is a very welcome contrast to the toxicity you find in much of OSS. that makes OSS more welcoming and positive instead of depressing. I cannot overstate this enough given that I literally keep a private OSS gratitude journal to help keep me going) |
|
Sounds like a plan. I'll send a new pr for the backported fix into your fork instead. I may as well let you repoint the dependency though. |
This change resolves a race condition where the following message is logged:
Updating
signature_padfrom 2.x to 4.x includes a fix for szimek/signature_pad#329