Replace libraries (gems) with small communities with alternatives

[andreslucena]

Is your feature request related to a problem? Please describe.

Decidim currently has dependencies for several external software libraries (“gems”) that have rather small communities. This causes a “bus factor” risk for the code base that can lead to awkward maintenance issues in case support is ended for some of these dependencies. Another risk is the low exposure of these gems to security audits and external testing which can lead, for example, to security vulnerabilities.

Describe the solution you'd like

To replace or remove:

• anchored - Remove anchored dependency #8453
• nobspw - Update password strength check #8455
• truncato - Remove truncato dependency #8507
• etherpad-lite - Remove etherpad-lite dependency #8541
• searchlight/spotlight - Replace searchlight with ransack which is already a core dependency #8748
• system_test_html_screenshots - Update rails to 6.1 #8411

Describe alternatives you've considered

I have initially identified some gems to be replaced by analyzing some metrics (such as stars, forks, etc) and thought that we should replace others (like doc2text, fog-local, doorkeeper-i18n...) but I was corrected by @ahukkanen as some of these changes didn't make much sense (like the risk was low because some are from specs) or there weren't any good alternatives.

Additional context

For transparency and to have it documented, here's the table with the gems that we analyzed.

Gem	My opinion	Mainio Tech opinion	Notes
doc2text	Replace	Keep	Converts ODT documents to participatory texts within the proposals component. The only potential alternative that has recent commit history and a larger community is the henkei gem but it would also add a Java dependency for the Apache Tika toolkit. Current solution is more ruby like but needs to be kept an eye on. Could be considered for rewrite within Decidim but for the use case we don’t believe would be worth the effort.
w3c_rspec_validators	Replace	Keep	Only used for testing workflows to ensure Decidim has valid HTML. The gem itself is a wrapper for w3c_validators which does an HTTP request to the well maintained W3C validation service and reads its response. Easy to replace in case necessary and does not affect Decidim applications.
anchored	Replace	Replace	Used to create automatically links within proposals, debates and private messages. There is a more popular gem named rinku to provide similar functionality but does not seem to be actively maintained anymore. Required functionality to be rewritten within Decidim.
fog-local	Replace	Keep	Required to store files locally in Decidim, so this is necessary after the move to ActiveStorage. The fog gem itself is well maintained and popular. This gem is maintained by the same organization.
nobspw	Replace	Replace	Provides password matching against a known database of weak passwords. Create a similar password blacklist from a known source and check the passwords against that list within Decidim’s own validator. Required functionality to be rewritten within Decidim.
doorkeeper-i18n	Replace	Keep	Provides locales for the Doorkeeper gem which is well maintained. Doorkeeper is needed for running Decidim as an oauth2 authentication provider. Doorkeeper itself is well maintained and this gem localizes it.
simplecov-cobertura	Replace	Keep	Only a dependency for the testing workflows. Formats the code coverage reports for Cobertura. Does not affect Decidim applications.
truncato	Replace	Replace	Used to truncate HTML texts to shorter texts that contain HTML markup before and after the truncation. Difficult to replicate all the functionality that the gem provides but it should be manageable to create a good enough alternative within Decidim that works for the Decidim use cases.
seven_zip_ruby	Replace	Keep	Used to encrypt and password protect specific files in Decidim. There are no better maintained alternatives available that provide strong encryption for zip files. There has been some discussion for Rubyzip to incorporate AES encryption in that library but there is no recent activity regarding that. Keep an eye on the related discussion for Rubyzip or implement AES encryption to Rubyzip (search for “AES” from the repository pull requests).
wisper-rspec	Replace	Keep	Only a dependency for the testing workflows. Allows writing rspec tests for the publish events within Decidim commands. Does not affect Decidim applications.
rspec-cells	Replace	Keep	Only used for testing workflows. Allows testing the Decidim cells. Does not affect Decidim applications.
etherpad-lite	Replace	Replace	Used to retrieve text through Etherpad API and retrieving Etherpad public or read-only IDs from the same API. Required functionality to be rewritten within Decidim.
searchlight/spotlight	Replace	Replace	To be replaced with Ransack that provides similar functionality.
system_test_html_scr eenshots	N/A	Replace	Takes screenshots of the browser test results for inspection during the test workflows. Dependency requirements are blocking Rails 6.1 update and the gem is not well maintained. Consists of one simple helper for the RSpec tests that can be moved to Decidim codebase. Required functionality to be moved to Decidim.

Does this issue could impact on users private data?

It's a refactor, so it shouldn't change the behavior.

Funded by

Decidim Association

---

Note: this issue definition was largely made by @ahukkanen and @lahdeero, they explain it all really well, I just made some formatting 😄

[alecslupu]

@andreslucena , the system_test_html_screenshots gem has been removed in rails 6.1 upgrade, and adds the file directly to core.

[froger]

Thanks for sharing @andreslucena.
Not wanting to troll in this issue, but foundation lib see code frequency and jquery could maybe be on deprecated lib list as well.... Just food for thoughts :P

[andreslucena]

@andreslucena , the system_test_html_screenshots gem has been removed in rails 6.1 upgrade, and adds the file directly to core.

Yes, we've seen it... thanks @alecslupu 👏🏽

Not wanting to troll in this issue, but foundation lib see code frequency and jquery could maybe be on deprecated lib list as well.... Just food for thoughts :P

Don't worry!! FYI, we've discussed most of these topics in #8235 #7234 (I forgot to link to those discussions). I think we should open a new one just to keep track of JavaScript libraries.

I agree that jQuery in 2021 maybe it's not necessary anymore, although I am not aware what's the state of dependent libraries that we could have. For sure, the biggest one would be Foundation. Regarding Foundation, a couple of years ago they were talking about releasing v7, but it seems like it isn't actively developed (or at least I don't find any activity in the open)

foundation/foundation-sites#11847
foundation/foundation-sites#10686

Also in one of the Redesign Decidim internal meetings we discussed until what point was a good time to drop Foundation, but we thought that it could be a huge issue to tackle, specially regarding the backwards compatibility... The idea is that the development team (Populate Tools) would study the situation and when they have a proposal they'd open a GitHub Discussion or something like that. (cc @furilo)

[ahukkanen]

It goes a bit off topic, as the original idea was to replace the Ruby gems, but I'll also address the Foundation/jQuery issue here as they were mentioned, and until the new proposal comes out.

TL;DR

Sorry for the long post but I just had to get it out of my head while it's still fresh.

TL;DR:

1. I support dropping jQuery (at some point in the future), I don't think it's necessary, although it is still required through Foundation

• When doing so, please keep jQuery in as a dependency at least for few official releases forward to maintain compatibility for external modules still using it.

2. I don't support dropping Foundation at this point without an extremely easy migration path for external developers

• Instead, invest in UX standardization and guidelines

Foundation is stagnating but not dead

I personally think Foundation is stagnating and the project is not anymore developed by Zurb as they gave it to the community:
foundation/foundation-sites#12191

Zurb is still using it in their products, though, so they have not abandoned it.

The most active developer stopped working on it 2,5 years ago, although he is still occasionally popping by at the issues/PRs:
foundation/foundation-sites#11767

But the project is not completely dead, as also pointed out in those threads. There was an issue in current Foundation version with the upcoming Dart Sass release and they (= the community maintainers) accepted our PR to fix it in a timely manner. And they even rolled out a release shortly after that.

Regarding future developments, I don't have the feeling Foundation 7 will happen any time soon, unless there is someone who invests in in, i.e. pays someone at the Foundation maintenance team to do it (for example). Nothing happens automatically with good spirit and some water.

I don't think anyone is getting paid to work on Foundation right now, which is why it is stagnating.

What are the alternatives?

As @andreslucena pointed out, this would be quite a big backwards breaking effort to change it at this point, although it has happened to other projects in the past. Those migration paths are generally very painful, even if the change was not that big of a deal for the core itself. People want backwards compatibility, as why MS products or WP are so popular, for example. I think people are already afraid of the webpack migration, which hasn't gone fully smoothly either.

And even when changing the library, what is the real value that we get out of it, apart from dropping jQuery? Is there some security or accessibility issues in the current version of Foundation? Well, at least few with accessibility, but we were able to build a layer on top of that to fix some of those in Decidim itself.

I've seen some other large projects using the big bird company's largely popular framework (which I personally prefer over Foundation, btw), and they also struggle to update between the different versions of the framework, which are also at least partly breaking backwards compatibility. If the only value is dropping jQuery, I would suggest investing in the Foundation 7 update, as that would be much smoother upgrade path.

I'm also not saying the migration to another library is impossible with good guidance and documentation. I'm just saying people don't generally like that.

What's the real problem that needs to be addressed?

I think the bigger challenge with Decidim UI/UX today is that there needs to be a standardized approach to the whole UI and some level of understanding built for the developers on how and when to use the different UI components + some level of design direction when new features are built. Cards are super popular right now, as we can also see in Decidim, but does everything has to be a card? And does the card have to be cluttered with information or is there some better way to present it? If you have two large cards on a mobile screen, it takes the whole screen, where as a row based layout could show up many more items on the screen. Or as it was mentioned in the first redesign meeting of Decidim by the designer, that he did not really mean card to be used for the help page topics, the developer just decided to use them because there was no better guidance on the matter.

I think this kind of standardization stuff would add much more value to the Decidim UI than switching the framework itself. If Foundation dies at some point (as all projects do at some point), fork it, call it "fundació" and fix the problems in it. Focus on bringing more value to the UI developers instead, to provide a more coherent experience for end users and developers. As the "foundation" framework name says it, it's "foundation", a starting point, something to build upon. It's not a complete UI guideline.

I think @cyberschnaps put it pretty nicely at Decidim Fest as he said something like

Foundation is just a "buch of stuff". Not a UI framework.

Please correct me for any misquotes @cyberschnaps.

More on this matter, let's continue at:
https://meta.decidim.org/processes/RedesignDecidim/f/1663/debates/230
#8550

[froger]

Thanks @ahukkanen, it is going off topic indeed :D. I realized that I wanted to bring actually something different from what we are discussing here. I created a new issue about what I really want to talk about: #8547.

This issue about removing poorly maintained gem was just a trigger for me, sorry for the mess.

[tramuntanal]

doc2text will be difficult to replace because of the lack of alternatives (at the moment of the development and now https://www.ruby-toolbox.com/search?display=compact&order=rubygem_latest_release_on&q=odt&show_forks=false). An option to get rid of it is to only accept markdown documents, but I would rather embrace it as the owner is keen to accept Decidim's improvements. I'll try to apply the latest security update to the gem: bostko/doc2text#15