move jquery to peerDependencies

[graingert]

https://nodejs.org/en/blog/npm/peer-dependencies/

[graingert]

Without this, it can cause selectize to try to use a different jquery than the main jquery

[graingert]

@joallard currently selictize is locked to jQuery >=1.7.0 <2.0.0 for npm users. This pr opens that range up to include v2 and v3, and also ensures that only one version of jQuery is installed and used.

[graingert]

Fixes: #1277 I think

[matason]

Thanks @graingert, this fixes it for me.

[Kovah]

This would also solve this jQuery security vulnerability, which is patched in versions >= 3.0.0.

[graingert]

Nice, any chance of a release?

…

On Wed, 11 Jul 2018, 19:19 Jonathan Allard, ***@***.***> wrote: Merged #1414 <#1414>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1414 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAZQTOZq5STK94H-VKVjSAt93Tl_5whBks5uFkGUgaJpZM4UYxyM> .

[joallard]

Done. 0.12.6

[Pictor13]

Great!

About jQuery, do we need to keep it in bower.json with that version range, for any retro-compatibility reason, or could we even remove it from there and rely on bower-away to move all the dependencies to package.json (Yarn/Npm) ?
Or do it manually, without bower-away.

Correct me if I am wrong, but I see no reason for having two conflicting definitions in bower and npm; is there?

[graingert]

Use boweraway there's no need for bower any more On 13 Jul 2018 09:44, "Igor Pellegrini" <[email protected]> wrote: Great! About jQuery, do we need to keep it in *bower.json* with that version range, for any retro-compatibility reason, or could we even remove it from there and rely on bower-away <https://github.com/bower/bower-away> to move all the dependencies to package.json (Yarn/Npm) ? Correct me if I am wrong, but I see no reason for having two conflicting definitions in bower and npm; is there? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1414 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAZQTINKJBaOXf2Mw0QuFgWZpwGjI0VAks5uGF3tgaJpZM4UYxyM> .

[Pictor13]

Looks like there is an issue with forcing the jQuery version to ^3.3.1 (#1428).

I guess peerDependencies wins over dependencies and doesn't retain the ^1.7 compatibility.

[Pictor13]

graingert wrote:

Use boweraway there's no need for bower any more

I just want to be sure that we are not leaving anybody down in removing bower (old setups? other cases?).
And (I guess) we should anyway keep the bower.json manifest, so that it's still up to the developer to choose to search the package over the bower registry or download it from there? Am I wrong?

Am not sure that installation will still work without any specified bower dependency; but maybe it's fine anyway (should be tested).

Don't we want that users that were using bower install (or have scripts using that) could keep doing so?
The difference would be just that it delegates to npm the role of single-source-of-truth for the dependencies.
(I guess there should be a way to tell bower to rely on npm/yarn, when installing; am still looking at how it could work)

EDIT:
maybe I should move this discussion to a separate issue? 😅

[joallard]

Phasing out bower is something I agree we should go in the direction of, I'd be receptive to such PRs