Commit Graph

18 Commits

Author SHA1 Message Date
Damien Elmes
cc648f4c0a Update for jinja2 security warning 2024-01-12 15:17:26 +10:00
Damien Elmes
a5de0fb40a Update Python deps 2023-11-27 13:34:42 +10:00
Damien Elmes
e327195470 Update pip for CVE [action required]
If this is not your first time building Anki, remove out/pyenv to
fix the error you'll get after updating to this commit.
2023-11-03 14:21:12 +10:00
Damien Elmes
f69b3c73e1 Update pip-tools
Required for the following commit
2023-11-03 14:19:23 +10:00
Damien Elmes
48dfe502f2 Bump werkzeug for CVE 2023-10-26 11:23:24 +10:00
Damien Elmes
197c486bc0 Bump urllib3 for CVE 2023-10-18 08:56:48 +10:00
Damien Elmes
9165a7efaf Update urllib3
Minor CVEs
2023-10-03 12:25:06 +10:00
Damien Elmes
9ce98207be Update certifi for minor bug fix 2023-07-26 20:41:19 +10:00
Damien Elmes
85c2769f80
Update Rust and Python deps (#2567)
* Update Python deps

* Update semver-compat Rust deps

* Update most crates to latest semver

* Update to latest axum-client-ip
2023-07-01 18:26:43 +10:00
Damien Elmes
823ca4c8a9 Split the Qt requirements into per-platform deps
Since more often than not, we can't use the same Qt version on all
platforms due to regressions.
2023-06-22 09:46:09 +10:00
Damien Elmes
e100789d24 Update requests for CVE
CVE-2023-32681
2023-05-24 16:09:15 +10:00
Damien Elmes
113239748b Update flask for security update
CVE-2023-30861

It doesn't look like it affects us.
2023-05-02 14:43:04 +10:00
Damien Elmes
e20e7f7af1 Update to the latest wheel package; make code work with it 2023-04-12 16:17:00 +10:00
Damien Elmes
82caffecbc Revert wheel upgrade
Will need to investigate why it's breaking bundles:

https://buildkite.com/ankitects/anki-ci/builds/5642#018735f6-5178-427a-9143-b6e610433408
2023-03-31 15:04:51 +10:00
Damien Elmes
0a0d17ff98 Update Python deps
- Black's formatting has changed
- Pylint has introduced a new lint
2023-03-31 14:04:05 +10:00
Damien Elmes
b4290fbe44 Bump werkzeug version
Fixes CVE-2023-23934
2023-02-16 17:41:25 +10:00
Damien Elmes
f9f8769ea8 Update certifi to fix security alert 2022-12-11 11:42:08 +10:00
Damien Elmes
5e0a761b87
Move away from Bazel (#2202)
(for upgrading users, please see the notes at the bottom)

Bazel brought a lot of nice things to the table, such as rebuilds based on
content changes instead of modification times, caching of build products,
detection of incorrect build rules via a sandbox, and so on. Rewriting the build
in Bazel was also an opportunity to improve on the Makefile-based build we had
prior, which was pretty poor: most dependencies were external or not pinned, and
the build graph was poorly defined and mostly serialized. It was not uncommon
for fresh checkouts to fail due to floating dependencies, or for things to break
when trying to switch to an older commit.

For day-to-day development, I think Bazel served us reasonably well - we could
generally switch between branches while being confident that builds would be
correct and reasonably fast, and not require full rebuilds (except on Windows,
where the lack of a sandbox and the TS rules would cause build breakages when TS
files were renamed/removed).

Bazel achieves that reliability by defining rules for each programming language
that define how source files should be turned into outputs. For the rules to
work with Bazel's sandboxing approach, they often have to reimplement or
partially bypass the standard tools that each programming language provides. The
Rust rules call Rust's compiler directly for example, instead of using Cargo,
and the Python rules extract each PyPi package into a separate folder that gets
added to sys.path.

These separate language rules allow proper declaration of inputs and outputs,
and offer some advantages such as caching of build products and fine-grained
dependency installation. But they also bring some downsides:

- The rules don't always support use-cases/platforms that the standard language
tools do, meaning they need to be patched to be used. I've had to contribute a
number of patches to the Rust, Python and JS rules to unblock various issues.
- The dependencies we use with each language sometimes make assumptions that do
not hold in Bazel, meaning they either need to be pinned or patched, or the
language rules need to be adjusted to accommodate them.

I was hopeful that after the initial setup work, things would be relatively
smooth-sailing. Unfortunately, that has not proved to be the case. Things
frequently broke when dependencies or the language rules were updated, and I
began to get frustrated at the amount of Anki development time I was instead
spending on build system upkeep. It's now about 2 years since switching to
Bazel, and I think it's time to cut losses, and switch to something else that's
a better fit.

The new build system is based on a small build tool called Ninja, and some
custom Rust code in build/. This means that to build Anki, Bazel is no longer
required, but Ninja and Rust need to be installed on your system. Python and
Node toolchains are automatically downloaded like in Bazel.

This new build system should result in faster builds in some cases:

- Because we're using cargo to build now, Rust builds are able to take advantage
of pipelining and incremental debug builds, which we didn't have with Bazel.
It's also easier to override the default linker on Linux/macOS, which can
further improve speeds.
- External Rust crates are now built with opt=1, which improves performance
of debug builds.
- Esbuild is now used to transpile TypeScript, instead of invoking the TypeScript
compiler. This results in faster builds, by deferring typechecking to test/check
time, and by allowing more work to happen in parallel.

As an example of the differences, when testing with the mold linker on Linux,
adding a new message to tags.proto (which triggers a recompile of the bulk of
the Rust and TypeScript code) results in a compile that goes from about 22s on
Bazel to about 7s in the new system. With the standard linker, it's about 9s.

Some other changes of note:

- Our Rust workspace now uses cargo-hakari to ensure all packages agree on
available features, preventing unnecessary rebuilds.
- pylib/anki is now a PEP420 implicit namespace, avoiding the need to merge
source files and generated files into a single folder for running. By telling
VSCode about the extra search path, code completion now works with generated
files without needing to symlink them into the source folder.
- qt/aqt can't use PEP420 as it's difficult to get rid of aqt/__init__.py.
Instead, the generated files are now placed in a separate _aqt package that's
added to the path.
- ts/lib is now exposed as @tslib, so the source code and generated code can be
provided under the same namespace without a merging step.
- MyPy and PyLint are now invoked once for the entire codebase.
- dprint will be used to format TypeScript/json files in the future instead of
the slower prettier (currently turned off to avoid causing conflicts). It can
automatically defer to prettier when formatting Svelte files.
- svelte-check is now used for typechecking our Svelte code, which revealed a
few typing issues that went undetected with the old system.
- The Jest unit tests now work on Windows as well.

If you're upgrading from Bazel, updated usage instructions are in docs/development.md and docs/build.md. A summary of the changes:

- please remove node_modules and .bazel
- install rustup (https://rustup.rs/)
- install rsync if not already installed  (on windows, use pacman - see docs/windows.md)
- install Ninja (unzip from https://github.com/ninja-build/ninja/releases/tag/v1.11.1 and
  place on your path, or from your distro/homebrew if it's 1.10+)
- update .vscode/settings.json from .vscode.dist
2022-11-27 15:24:20 +10:00