Update yarn from version 1.22.21 to 3.4.1 and webpack-dev-server from 3.11.1 to 4.0.0 (#895)

We need to be able to conditionally set headers for pyodideWorker.js in
pull request #893
but this feature isn’t supported in webpack-dev-server 3.x.x. We
therefore need to upgrade to version 4.0.0 which allows a function to be
provided in the headers option. When attempting this upgrade, I ran into
[this issue](storybookjs/storybook#22431) and
only managed to resolve it by also updating yarn to version 3.

I’ve tried to follow the migration guide here:

https://github.com/webpack/webpack-dev-server/blob/master/migration-v4.md

Author: tuzz

.github/workflows/ci-cd.yml

@@ -24,7 +24,7 @@ jobs:
         scope: '@RaspberryPiFoundation'
 
     - name: Install code
-      run: yarn install --frozen-lock-file
+      run: yarn install --immutable
       env:
         NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -50,7 +50,7 @@ jobs:
         scope: '@RaspberryPiFoundation'
 
     - name: Install code
-      run: yarn install --frozen-lock-file
+      run: yarn install --immutable
       env:
         NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -80,7 +80,7 @@ jobs:
         scope: '@RaspberryPiFoundation'
 
     - name: Install code
-      run: yarn install --frozen-lock-file
+      run: yarn install --immutable
       env:
         NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/deploy.yml

@@ -117,7 +117,7 @@ jobs:
         scope: '@RaspberryPiFoundation'
 
     - name: Install code
-      run: yarn install --frozen-lock-file
+      run: yarn install --immutable
       env:
         NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

.gitignore

@@ -27,5 +27,7 @@ node_modules
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
+.yarn/cache
+.yarn/install-state.gz
 
 .vscode/settings.json

.yarn/releases/yarn-3.4.1.cjs

@@ -0,0 +1,5 @@
+nodeLinker: node-modules
+
+yarnPath: .yarn/releases/yarn-3.4.1.cjs
+
+checksumBehavior: "update"

.yarnrc.yml

@@ -10,6 +10,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 - Minor copy changes to HTML add file modal
 - Toggle errors sent via apiCallHandler off (#890)
+- Upgrade webpack-dev-server to 4.0.0 to support conditional headers
+- Upgrade yarn to 3.4.1 to workaround a string-width issue
 
 ## [0.21.1] - 2024-01-11
 

CHANGELOG.md

@@ -14,49 +14,11 @@ const sockHost = process.env.WDS_SOCKET_HOST;
 const sockPath = process.env.WDS_SOCKET_PATH; // default: '/sockjs-node'
 const sockPort = process.env.WDS_SOCKET_PORT;
 
-module.exports = function (proxy, allowedHost) {
+module.exports = function (proxy, _allowedHost) {
   return {
-    // WebpackDevServer 2.4.3 introduced a security fix that prevents remote
-    // websites from potentially accessing local content through DNS rebinding:
-    // https://github.com/webpack/webpack-dev-server/issues/887
-    // https://medium.com/webpack/webpack-dev-server-middleware-security-issues-1489d950874a
-    // However, it made several existing use cases such as development in cloud
-    // environment or subdomains in development significantly more complicated:
-    // https://github.com/facebook/create-react-app/issues/2271
-    // https://github.com/facebook/create-react-app/issues/2233
-    // While we're investigating better solutions, for now we will take a
-    // compromise. Since our WDS configuration only serves files in the `public`
-    // folder we won't consider accessing them a vulnerability. However, if you
-    // use the `proxy` feature, it gets more dangerous because it can expose
-    // remote code execution vulnerabilities in backends like Django and Rails.
-    // So we will disable the host check normally, but enable it if you have
-    // specified the `proxy` setting. Finally, we let you override it if you
-    // really know what you're doing with a special environment variable.
-    disableHostCheck:
-      !proxy || process.env.DANGEROUSLY_DISABLE_HOST_CHECK === 'true',
+    allowedHosts: "all",
     // Enable gzip compression of generated files.
     compress: true,
-    // Silence WebpackDevServer's own logs since they're generally not useful.
-    // It will still show compile warnings and errors with this setting.
-    clientLogLevel: 'none',
-    // By default WebpackDevServer serves physical files from current directory
-    // in addition to all the virtual build products that it serves from memory.
-    // This is confusing because those files won’t automatically be available in
-    // production build folder unless we copy them. However, copying the whole
-    // project directory is dangerous because we may expose sensitive files.
-    // Instead, we establish a convention that only files in `public` directory
-    // get served. Our build script will copy `public` into the `build` folder.
-    // In `index.html`, you can get URL of `public` folder with %PUBLIC_URL%:
-    // <link rel="icon" href="%PUBLIC_URL%/favicon.ico">
-    // In JavaScript code, you can access it with `process.env.PUBLIC_URL`.
-    // Note that we only recommend to use `public` folder as an escape hatch
-    // for files like `favicon.ico`, `manifest.json`, and libraries that are
-    // for some reason broken when imported through webpack. If you just want to
-    // use an image, put it in `src` and `import` it from JavaScript instead.
-    contentBase: paths.appPublic,
-    contentBasePublicPath: paths.publicUrlOrPath,
-    // By default files from `contentBase` will not trigger a page reload.
-    watchContentBase: true,
     // Enable hot reloading server. It will provide WDS_SOCKET_PATH endpoint
     // for the WebpackDevServer client so it can learn when the files were
     // updated. The WebpackDevServer client is included as an entry point
@@ -65,71 +27,92 @@ module.exports = function (proxy, allowedHost) {
     hot: true,
     // Use 'ws' instead of 'sockjs-node' on server since we're using native
     // websockets in `webpackHotDevClient`.
-    transportMode: 'ws',
-    // Prevent a WS client from getting injected as we're already including
-    // `webpackHotDevClient`.
-    injectClient: false,
-    // Enable custom sockjs pathname for websocket connection to hot reloading server.
-    // Enable custom sockjs hostname, pathname and port for websocket connection
-    // to hot reloading server.
-    sockHost,
-    sockPath,
-    sockPort,
+    webSocketServer: 'ws',
     // It is important to tell WebpackDevServer to use the same "publicPath" path as
     // we specified in the webpack config. When homepage is '.', default to serving
     // from the root.
     // remove last slash so user can land on `/test` instead of `/test/`
-    publicPath: paths.publicUrlOrPath.slice(0, -1),
-    // WebpackDevServer is noisy by default so we emit custom message instead
-    // by listening to the compiler events with `compiler.hooks[...].tap` calls above.
-    quiet: true,
-    // Reportedly, this avoids CPU overload on some systems.
-    // https://github.com/facebook/create-react-app/issues/293
-    // src/node_modules is not ignored to support absolute imports
-    // https://github.com/facebook/create-react-app/issues/1065
-    watchOptions: {
-      ignored: ignoredFiles(paths.appSrc),
+    devMiddleware: {
+      publicPath: paths.publicUrlOrPath.slice(0, -1),
+    },
+    static: {
+      // By default WebpackDevServer serves physical files from current directory
+      // in addition to all the virtual build products that it serves from memory.
+      // This is confusing because those files won’t automatically be available in
+      // production build folder unless we copy them. However, copying the whole
+      // project directory is dangerous because we may expose sensitive files.
+      // Instead, we establish a convention that only files in `public` directory
+      // get served. Our build script will copy `public` into the `build` folder.
+      // In `index.html`, you can get URL of `public` folder with %PUBLIC_URL%:
+      // <link rel="icon" href="%PUBLIC_URL%/favicon.ico">
+      // In JavaScript code, you can access it with `process.env.PUBLIC_URL`.
+      // Note that we only recommend to use `public` folder as an escape hatch
+      // for files like `favicon.ico`, `manifest.json`, and libraries that are
+      // for some reason broken when imported through webpack. If you just want to
+      // use an image, put it in `src` and `import` it from JavaScript instead.
+      directory: paths.appPublic,
+      publicPath: paths.publicUrlOrPath,
+      // By default files from `directory` will not trigger a page reload.
+      // Reportedly, this avoids CPU overload on some systems.
+      // https://github.com/facebook/create-react-app/issues/293
+      // src/node_modules is not ignored to support absolute imports
+      // https://github.com/facebook/create-react-app/issues/1065
+      watch: {
+        ignored: ignoredFiles(paths.appSrc),
+      },
     },
     https: getHttpsConfig(),
     host,
-    overlay: false,
     historyApiFallback: {
       // Paths with dots should still use the history fallback.
       // See https://github.com/facebook/create-react-app/issues/387.
       disableDotRule: true,
       index: paths.publicUrlOrPath,
     },
-     headers: {
+    headers: {
       "Access-Control-Allow-Origin": "*",
       "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
       "Access-Control-Allow-Headers": "X-Requested-With, content-type, Authorization"
     },
-    public: allowedHost,
+    client: {
+      // Silence WebpackDevServer's own logs since they're generally not useful.
+      // It will still show compile warnings and errors with this setting.
+      logging: 'none',
+      overlay: false,
+      webSocketURL: {
+        // Enable custom sockjs pathname for websocket connection to hot reloading server.
+        // Enable custom sockjs hostname, pathname and port for websocket connection
+        // to hot reloading server.
+        hostname: sockHost,
+        pathname: sockPath,
+        port: sockPort,
+      },
+    },
     // `proxy` is run between `before` and `after` `webpack-dev-server` hooks
     proxy,
-    before(app, server) {
+    onBeforeSetupMiddleware(devServer) {
       // Keep `evalSourceMapMiddleware` and `errorOverlayMiddleware`
       // middlewares before `redirectServedPath` otherwise will not have any effect
       // This lets us fetch source contents from webpack for the error overlay
-      app.use(evalSourceMapMiddleware(server));
+      devServer.app.use(evalSourceMapMiddleware(devServer));
       // This lets us open files from the runtime error overlay.
-      app.use(errorOverlayMiddleware());
+      devServer.app.use(errorOverlayMiddleware());
 
       if (fs.existsSync(paths.proxySetup)) {
         // This registers user provided middleware for proxy reasons
-        require(paths.proxySetup)(app);
+        require(paths.proxySetup)(devServer.app);
       }
     },
-    after(app) {
+    onAfterSetupMiddleware(devServer) {
       // Redirect to `PUBLIC_URL` or `homepage` from `package.json` if url not match
-      app.use(redirectServedPath(paths.publicUrlOrPath));
+      devServer.app.use(redirectServedPath(paths.publicUrlOrPath));
 
       // This service worker file is effectively a 'no-op' that will reset any
       // previous service worker registered for the same host:port combination.
       // We do this in development to avoid hitting the production cache if
       // it used the same host and port.
       // https://github.com/facebook/create-react-app/issues/2272#issuecomment-302832432
-      app.use(noopServiceWorkerMiddleware(paths.publicUrlOrPath));
+      devServer.app.use(noopServiceWorkerMiddleware(paths.publicUrlOrPath));
     },
   };
 };

config/webpackDevServer.config.js

@@ -80,7 +80,7 @@
   "scripts": {
     "start": "node scripts/start.js",
     "build": "node scripts/build.js",
-    "build:dev": "yarn install --force && yarn run build-storybook && node scripts/build.js",
+    "build:dev": "yarn install --check-cache && yarn run build-storybook && node scripts/build.js",
     "build-storybook": "cd ./storybook && yarn install && yarn run build-storybook -- -o ../public/storybook --loglevel warn",
     "lint": "eslint \"src/**/*.{js,jsx,json}\"",
     "lint:fix": "eslint --fix \"src/**/*.{js,jsx,json}\"",
@@ -186,7 +186,7 @@
     "webgl-mock-threejs": "^0.0.1",
     "webpack": "4.44.2",
     "webpack-cli": "^4.9.2",
-    "webpack-dev-server": "3.11.1",
+    "webpack-dev-server": "4.0.0",
     "webpack-manifest-plugin": "2.2.0",
     "workbox-webpack-plugin": "5.1.4"
   },
@@ -246,5 +246,6 @@
       "jest-watch-typeahead/testname"
     ],
     "resetMocks": true
-  }
+  },
+  "packageManager": "yarn@3.4.1"
 }

package.json

@@ -11,16 +11,16 @@
     "@storybook/addon-actions": "6.5.10",
     "@storybook/addon-essentials": "6.5.10",
     "@storybook/addon-interactions": "6.5.10",
-    "@storybook/builder-webpack4": "6.5.10",
-    "@storybook/manager-webpack4": "6.5.10",
-    "@storybook/mdx2-csf": "0.0.3",
-    "@storybook/preset-scss": "^1.0.3",
-    "@storybook/react": "6.5.10",
     "@storybook/blocks": "^7.5.3",
+    "@storybook/builder-webpack4": "6.5.10",
     "@storybook/channels": "^7.5.3",
     "@storybook/components": "^7.5.3",
     "@storybook/core-events": "^7.5.3",
+    "@storybook/manager-webpack4": "6.5.10",
+    "@storybook/mdx2-csf": "0.0.3",
+    "@storybook/preset-scss": "^1.0.3",
     "@storybook/preview-api": "^7.5.3",
+    "@storybook/react": "6.5.10",
     "@storybook/theming": "^7.5.3",
     "css-loader": "^5.2.6",
     "i18next": "^23.7.6",