npm package should exclude external, build & .github directories

[fknittel]

The npm package 'jquery-ui' includes the directory external/jquery/ (among others) in addition to the regular package dependency on jquery. Is there a reason for that?

Dropping the jquery copies would shrink the npm package by a few MBytes (~12 MiB, which is quite substantial, considering the whole package is around 15 MiB). Another benefit would be that security scanners no longer identify jquery-ui as containing vulnerable versions of jquery.

I would suggest to at least exclude the external/jquery*/ directories from NPM by listing it in .npmignore. Maybe even the complete external/ directory tree.

[mgol]

Thanks for the report.

I was worried the https://github.com/jquery/download.jqueryui.com code installs jquery-ui from npm, but no, it clones the repo. Considering that the tests & demos folders are already excluded, I don't see a reason to keep external. We could try removing it.

@fnagel do you know a reason for not excluding this folder? I also wonder if removing it should be treated as a breaking change and deferred until 1.14.

[fnagel]

@mgol No, I have no knowledge why this folder is included. That was long before my time and I was never involved in the whole build and publishing thing.

I would consider removing this folder as breaking change. One could use the files in local building tools, so removing those would be breaking.

[mgol]

Thanks, Felix! I was also leaning towards treating this as breaking but I wanted a second opinion.

Setting the milestone appropriately.

[devicenull]

Did anything ever come of this? Having all the old jquery versions in external/ is setting off our security scans.

[mgol]

We consider this a breaking change which is why it’s scheduled for 1.14.0. We don’t expect that version to arrive soon, though.

[mgol]

We should also remove the build & .github folders from the package, BTW.