2025-10-09 Frontend Working Group Meeting Notes: Shai-Hulud, Program Dashboard, etc

 Date, time, location

• Date:Oct 9, 2025 at 15:00 UTC (timezone converter)

• Location: https://meet.google.com/wxe-myxy-uei

 Discussion topic(s)

• [Adolfo] Shall we discuss security, for a moment? Specially in light of Shai-Hulud (forum post), which is a supply-chain attack with too many CVEs to even publish. Questions:

  • Should this investigation be delegated to maintainers of individual repos?

  • Do we care about this particular issue any more than any other critical vulnerability? There are quite a few across the org. See frontend-app-learning’s report, for instance.

🎥Recording

• Video: https://drive.google.com/file/d/1emnvRFQu2ylP04AofOLNKLcfarfsAbJi/view?usp=drive_link

• Chat: https://drive.google.com/file/d/1WtZbQ3ZEMxTc3CVTFVoOyRIyPnaqaUE6/view?usp=drive_link

• Transcript: https://drive.google.com/file/d/1Sz0M3KnssQN2AEjguzzV9hUoyo4lNaMSnfB-9-OLJPY/view?usp=drive_link

 Participants

Adolfo Brandes, Brian Smith, Diana Villalvazo Salas, Jacobo Dominguez, Jesse Stewart (WGU), Max Frank

🤖 Summary

• Agreed path to centralize masquerade & course navigation bars via a header slot in Frontend Base.

• CSS background-image breakage and Sass “mixed declarations” deprecation surfaced; issues to be tracked and fixed.

• React Compiler: target after React 19; start linters/strict-mode prep now.

• Program Dashboard: proposal to move legacy edx-platform UI into Learner Dashboard MFE behind a feature flag.

• NPM supply-chain incident: script-based audit underway; refine process and Renovate strategy.

Decisions

1. Masquerade & Navigation Bars

   • Create a slot in header (Frontend Base shell) to host masquerade/navigation bars.

   • Short term code location: under Frontend Base (shell/header), e.g., shell/header/masquerade.

   • Keep open the option to relocate into a dedicated lib later if bloat/ownership becomes an issue.

2. Roles model (future work)

   • Long-term direction: allow apps to define/extend roles outside Frontend Base so apps can opt-in UI elements (e.g., navigation/masquerade) per route.

3. React Compiler adoption

   • Wait for React 19 GA and a non-RC compiler.

   • Prep now with StrictMode and eslint-plugin-react-hooks consistently enabled.

4. Program Dashboard migration

   • Proceed with UI port to Learner Dashboard MFE, gated by the existing ENABLE_PROGRAMS flag (tab + route).

   • Not a plugin for now due to routing; revisit once Frontend Base routing makes it trivial.

Action Items

• Diana — Open a PR to Frontend Base:

  • Add header slot for masquerade/navigation bars.

  • Implement initial masquerade/navigation components (under shell/…) that fill the slot.

  • Note pros/cons in the PR for review.

• Jacobo

  • File a public issue documenting:

    • CSS background-image not rendering when referenced from stylesheets in MF.

    • Sass “mixed declarations” warning (currently silenced in several repos).

  • Create a draft PR with a minimal repro; tag Adolfo/Brian.

• Brian —

  • Issue created: Ensure StrictMode + eslint-plugin-react-hooks are enabled/enforced in Frontend Base.

  • Verify usage across repos; add ignores with TODOs where fixes aren’t immediate.

• Max —

  • Continue Program Dashboard MFE migration behind ENABLE_PROGRAMS.

  • If parity reveals legacy-only features that shouldn’t carry over, start a Slack thread; if consensus, raise a DEPR instead of porting them.

• Jesse —

  • Polish and share the repo-audit script (checks lockfiles for compromised versions; include target list and results).

  • Post findings and script (attach or link) to the thread; separate critical hits (installed bad versions) from warnings.

• Adolfo —

  • Loop in Feanil (security) about the npm incident, Jesse’s script, and propose adding it to a lightweight security procedure.

• Team —

  • Remove any chalk 5.6.1 (or other compromised versions) from lockfiles where present; prefer updating via Renovate PRs.

  • Review Renovate automerge policy; consider gating automerge on ecosystem “health”/adoption signals to reduce risk.

Risks / Parking Lot

• Multi-app slot contention: clarify patterns when multiple apps insert the same bar into the header slot.

• Code ownership/bloat in Frontend Base: monitor; split to a shared lib if it grows.

• Build pipeline differences (library install vs MFE bundling) may impact asset paths (CSS url(...))—investigate loaders/config.

• Supply-chain hygiene: formalize cadence to run Jesse’s audit; decide where it lives (tools repo vs. script attached to security docs).

Notes & Context

• CSS images work when imported by components but fail from CSS → likely relative-path/loader resolution with the new packaging approach.

• npm reportedly yanked chalk@5.6.1; caches could still install it—hence lockfile audits matter.

• Goal with Program Dashboard: enable clean deprecation/removal of legacy code once MFE version is live and feature-complete (or explicitly DEPRs omitted parts).