Js upgrades to latest versions

I am currently trying to upgrade the used js libs to a more current state.
Steps done so far:

  • regenerate package-lock.json ( there are some minor and patch version upgrade missing, see npm outdated output)
  • upgrade core-js to 3.31.0 (needs 2 patches to indico js libs)
  • upgrade "@ckeditor/ckeditor5-react

I’ll try to create patches for these, as the local tests are successful.

Thanks, but please do not update random JS deps. We typically do that at some point before a release, and it’s the kind of contribution that is very hard to review. When doing it myself I usually check changelogs and test things manually at least for any major version bump.

That said, updating core-js is certainly welcome since that’s a nasty one, but please avoid a general npm update and similar…

And while I trust you as a long-term member of the community to not do anything funny in package-lock.json, I would not accept a contribution from a complete stranger that touches that file in a way that cannot be reviewed (which is clearly the case when hundreds or thousands of lines changed). Because IIRC you can sneak something nasty in via the lock file.

PS: I will only merge something related to JS deps after having branched out for 3.3, and after having merged this pr in order to avoid nasty merge conflicts…

That’s actually totally fine with me.
One commit I did was just a full regeneration of package-lock from a clean state (

rm -rf src/node_module
rm package-lock.json
npm install

which actually seems wrong, should be npm install --dev but actually I would also prefer if I only need to provide the package.json changes and the package-lock gets regenerated at CERN.

Pretty sure npm install from a directory that contains package.json etc (ie not installing a published package) includes dev deps by default. At least I never had to use --dev or similar.