Skip to content

Use NPM packages instead of bower for formgrader extension dependencies#1967

Merged
brichet merged 4 commits intojupyter:mainfrom
brichet:remove_bower_dependency
Nov 26, 2025
Merged

Use NPM packages instead of bower for formgrader extension dependencies#1967
brichet merged 4 commits intojupyter:mainfrom
brichet:remove_bower_dependency

Conversation

@brichet
Copy link
Copy Markdown
Contributor

@brichet brichet commented May 9, 2025
edited
Loading

Fixes #1966
Should fix https://github.com/jupyter/nbgrader/security/dependabot/60

This PR replaces the use of deprecated bower by NPM.
It also updates underscore dependency to >=1.13.1, which should fix a security error.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 9, 2025

Binder 👈 Launch a Binder on branch brichet/nbgrader/remove_bower_dependency

@brichet brichet marked this pull request as ready for review May 9, 2025 12:22
shreve
shreve reviewed May 9, 2025
View reviewed changes
Comment thread .gitignore
Comment on lines +100 to +112
nbgrader/server_extensions/formgrader/static/node_modules/autosize/example
nbgrader/server_extensions/formgrader/static/node_modules/autosize/src
nbgrader/server_extensions/formgrader/static/node_modules/bootstrap/less
nbgrader/server_extensions/formgrader/static/node_modules/bootstrap/js
nbgrader/server_extensions/formgrader/static/node_modules/bootstrap/grunt
nbgrader/server_extensions/formgrader/static/node_modules/jquery/external
nbgrader/server_extensions/formgrader/static/node_modules/jquery/src
nbgrader/server_extensions/formgrader/static/node_modules/underscore/amd
nbgrader/server_extensions/formgrader/static/node_modules/underscore/cjs
nbgrader/server_extensions/formgrader/static/node_modules/underscore/modules
nbgrader/server_extensions/formgrader/static/node_modules/underscore/underscore-esm*
nbgrader/server_extensions/formgrader/static/node_modules/underscore/underscore-node*
nbgrader/server_extensions/formgrader/static/node_modules/underscore/underscore-umd*
Copy link
Copy Markdown
Contributor

@shreve shreve May 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we're using the exceptions below, we can replace all of these specific rules with a more general one:

nbgrader/server_extensions/formgrader/static/node_modules/**/*

I think this would make maintenance a tiny bit easier moving forward.

Copy link
Copy Markdown
Contributor Author

@brichet brichet May 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be quite similar, we would have to specify which files we want to keep instead of specifying which files we want to remove.
We probably want to keep package.json files, readme and some other files to know the version fetched.

The exceptions below are to prevent the following to remove these directories:

nbgrader/.gitignore

Line 13 in ab7ef18

dist/

Copy link
Copy Markdown
Contributor

@shreve shreve May 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see what you mean. I think the change I want to see goes well beyond the scope of this PR. Thanks for clarifying.

@brichet
Copy link
Copy Markdown
Contributor Author

brichet commented Nov 26, 2025

Let's merge this one as it fixes some deprecated dependencies.

@brichet brichet merged commit 5e259c3 into jupyter:main Nov 26, 2025
25 checks passed
@brichet brichet deleted the remove_bower_dependency branch February 6, 2026 22:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@shreve shreve shreve left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

maintenance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Do not depend on bower for frontend packages

2 participants

@brichet @shreve