Migrate to dart sass #939
Comments
|
Timebox to couple hours to do the switch and monitor it. |
kellylee-gds
added
the
🕔 Hours
36degrees
changed the title
|
I've got the prototype kit compiling using dart sass, but it is significantly slower. On the With dart-sass, it's more like 7-8s: I'm not sure we can accept this change with that sort of performance penalty. Making changes to the styles in a prototype would go from near-enough instantaneous to having a significant delay – long enough I think to be frustrating, and possibly to cause confusion (e.g. users being unsure whether their change has 'worked').
As far as I can tell at least some of the high vulnerabilities are incorrectly listed by Snyk as affecting all versions, when in fact they have been fixed: SNYK-JS-NODESASS-540974 SNYK-JS-NODESASS-540956 SNYK-JS-NODESASS-540996 I've contacted Snyk to flag this for their attention. Some of the other valid vulnerabilities listed appear to fixed in libsass 3.6, which should land in node-sass 5.0 – a pre-release for which came out 2 days ago. More broadly, generally Sass vulnerabilities rely on a malicious user being able to edit the Sass to cause the compiler to do unexpected things. If a malicious user is able to modify the Sass in the prototype then it's highly likely they can edit other code in the prototype as well - in which case they could already cause damage, without needing a vulnerability in the Sass compiler to exploit. I think we should remain on node-sass until the work on the Sass embedded protocol lands (or something else changes which gives dart-sass close enough performance to that of node-sass), updating to node-sass 5.0 as soon as it's generally available. |
|
great investigation @36degrees thanks! |
|
I thought I'd been testing dart-sass with Fibers as recommended when using dart-sass but I'd stashed those changes 🤦🏻 However, even with Fibers compilation still takes 5s or more: |
|
I've pushed a branch with my changes here, for future reference: |
|
Just to record the fact that there is an executable version of Dart Sass which is significantly faster. However it probably isn't workable for us as you can't run it in places like Heroku or Glitch |
|
I was previously on a project where compile times took similar times (rails) - it's workable, but also damn annoying. I suspect for novice users there's more chance as @36degrees says that they may think something has gone wrong. Like @36degrees says, as compilation only happens at build, I'd assume you'd need control of the repo to take advantage of any security vulnerabilities - which should greatly mitigate the short term risks. |
|
Removing the IE8 stylesheets also improves compilation times – bringing us down to ~3s – but that's true with node-sass as well where compilation times are reduced to ~500ms. For context, govuk-frontend compiles (on Travis) in 0.386s using LibSass, or 1.487s using Dart Sass. Which seems to tally with the times we're seeing, given in the |
|
@36degrees I wonder if we need to compile IE8 for prototyping? Or at least maybe it should be off by default? Is that hard? |
|
The Financial Times has the faster executable as an npm package: https://twitter.com/JakeDChampion/status/1374415348288475141 |
|
This was done in #1269, closing. |
What
Switch to using the Dart Sass compiler to compile the Sass in the prototype kit, rather than Node Sass.
Why
LibSass and Node Sass, which is built on top of LibSass, are both deprecated:
There are also currently known vulnerabilities in Node Sass.
Who needs to know about this
Joe
Further detail
Timebox - 2 hours
Done when
The text was updated successfully, but these errors were encountered: