Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Fix last path-to-regexp depenabot alert by using vite preview instead of serve #11015

Conversation

bnussman-akamai
Copy link
Member

@bnussman-akamai bnussman-akamai commented Sep 27, 2024

Description 📝

Note

We are removing serve as a dev dependency to satisfy dependabot but if you even need to use it to serve static HTTP assets, you can always run it with npx / bunx

For example

bunx serve packages/manager/storybook-static

How to test 🧪

  • Verify our Cypress pipeline works (it serves the local build) ✅

As an Author I have considered 🤔

  • 👀 Doing a self review
  • ❔ Our contribution guidelines
  • 🤏 Splitting feature into small PRs
  • ➕ Adding a changeset
  • 🧪 Providing/Improving test coverage
  • 🔐 Removing all sensitive information from the code and PR description
  • 🚩 Using a feature flag to protect the release
  • 👣 Providing comprehensive reproduction steps
  • 📑 Providing or updating our documentation
  • 🕛 Scheduling a pair reviewing session
  • 📱 Providing mobile support
  • ♿ Providing accessibility support

@bnussman-akamai bnussman-akamai added the Dependencies Pull requests that update a dependency file label Sep 27, 2024
@bnussman-akamai bnussman-akamai self-assigned this Sep 27, 2024
@bnussman-akamai bnussman-akamai requested a review from a team as a code owner September 27, 2024 18:43
@bnussman-akamai bnussman-akamai requested review from carrillo-erik and coliu-akamai and removed request for a team September 27, 2024 18:43
@@ -85,7 +85,7 @@
"scripts": {
"start": "concurrently --raw \"vite\" \"tsc --watch --preserveWatchOutput\"",
"start:expose": "concurrently --raw \"vite --host\" \"tsc --watch --preserveWatchOutput\"",
"start:ci": "yarn serve ./build -p 3000 -s --cors",
"start:ci": "vite preview --port 3000",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jdamore-linode Think this will work?

Copy link
Contributor

@jdamore-linode jdamore-linode Sep 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it uses Vite's dev server I suspect it'll cause performance issues in the Cypress tests, but I can double check and confirm.

For context:
cypress-io/cypress#3708

tl;dr, to the best of my understanding: the mechanism Cypress uses to intercept HTTP requests (which applies to all requests that happen during a Cypress run, not just those that are cy.intercept()ed) doesn't support HTTP2. Because of the way Vite's dev server chunks(?) things (an HTTP request for every module), Cloud's performance really suffers in Cypress as a result. It isn't too noticeable when running a single test here and there, but over the course of the full suite it causes a pretty significant impact (and may even cause flakiness in some cases, but might be misremembering).

(This is why I generally suggest yarn && yarn build && yarn start:manager:ci in my test PRs, but I'm going to be formally documenting this as part of the test docs I've been working on [on and off] the past few weeks.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I didn't take the time to look at what this PR is doing, but there's no reason we have to use serve specifically here! It's just the particular combo of Vite's dev server + Cypress that doesn't play nicely)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe vite preview uses a basic Node HTTP server to serve the static build assets. It's not running the Vite's dev server from what I understand.

Let me investigate a little more and confirm that vite preview's performance is going to be comparable to Vercel's serve. I think it should be 🤞

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooh, you're right! That's awesome, I'm on board.

(Also see it running in CI -- it's totally on track 👍)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be clear, I do like the utility of serve. For example, I run yarn serve packages/manager/storybook-static pretty often to test Storybook builds, but from now on, I'll just do bunx serve packages/manager/storybook-static if I need it

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could also just run npx/pnpx serve in the pipeline without a local dependency

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

discussed async: this is good 👍

Comment on lines -8131 to -8134
[email protected]:
version "2.2.1"
resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-2.2.1.tgz#90b617025a16381a879bc82a38d4e8bdeb2bcf45"
integrity sha512-gu9bD6Ta5bwGrrU8muHzVOBFFREpp2iRkVfhBJahwJ6p6Xw20SjT0MxLnwkjOibQmGSYhiUnf2FLe7k+jcFmGQ==
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR removes our serve devDependency which results in the vulnerable version of path-to-regexp being removed, resolving https://github.com/linode/manager/security/dependabot/111

Copy link

github-actions bot commented Sep 27, 2024

Coverage Report:
Base Coverage: 86.98%
Current Coverage: 86.98%

component: <Security />,
});
// TODO: Unskip once M3-8559 is addressed.
it.skip('should render a root password input', async () => {
Copy link
Member Author

@bnussman-akamai bnussman-akamai Sep 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I unskipped these in #11005 but they are still being flakey so I'm going to re-skip them. We have a ticket to further investigate this

@bnussman-akamai bnussman-akamai changed the title chore: Attempt to fix last path-to-regexp depenabot alert chore: Fix last path-to-regexp depenabot alert Sep 27, 2024
@bnussman-akamai bnussman-akamai changed the title chore: Fix last path-to-regexp depenabot alert chore: Fix last path-to-regexp depenabot alert by using vite preview instead of serve Sep 27, 2024
Copy link
Contributor

@coliu-akamai coliu-akamai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ty Banks! confirmed the cypress pipeline passed 🎉

@bnussman-akamai bnussman-akamai merged commit 0bc9d73 into linode:develop Sep 27, 2024
20 checks passed
Copy link

cypress bot commented Sep 27, 2024

Cloud Manager E2E    Run #6589

Run Properties:  status check passed Passed #6589  •  git commit 0bc9d73c4f: chore: Fix last `path-to-regexp` depenabot alert by using `vite preview` instead...
Project Cloud Manager E2E
Branch Review develop
Run status status check passed Passed #6589
Run duration 26m 16s
Commit git commit 0bc9d73c4f: chore: Fix last `path-to-regexp` depenabot alert by using `vite preview` instead...
Committer Banks Nussman
View all properties for this run ↗︎

Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 3
Tests that did not run due to a developer annotating a test with .skip  Pending 2
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 408
View all changes introduced in this branch ↗︎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants