refactor(jshint): don't assume browser-only globals

[mgol]

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

Feature: We're no longer assuming browser globals in src/**/*.js which will prevent issues like #13442 from happening in the future.

What is the current behavior? (You can also link to an open issue here)

Currently browser globals are assumed. This sometimes breaks tools like jsdom that make them available under window but not as globals; see e.g. #13442.

What is the new behavior (if this is a feature change)?

For the browser these changes shouldn't matter. In other environments browser globals are now taken from the window variable instead of the global.

Does this PR introduce a breaking change?

No.

Please check if the PR fulfills these requirements

• The commit message follows our guidelines: https://github.com/angular/angular.js/blob/master/CONTRIBUTING.md#commit-message-format
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

Other information:

Fixes #13442

[mgol]

I also updated JSHint.

[mgol]

@petebacondarwin I see JSHint failures in the docs gulp task. Which JSHint config is used to lint build/docs/**/*.js?

[petebacondarwin]

@mgol I guess it is just the top level .jshintrc in the root of the project.

[petebacondarwin]

If you want we could copy a docs specific .jshintrc into the build/docs folder as part of the gulp assets task.

[mgol]

Where are globals like by taken from? It surprised me to see errors like:

'by' is not defined

[gkalpak]

by should be from Protractor

WRT .jshintrc, I believe it's better to take a more granular approach, specifying globals in the directories they are needed. E.g. don't have something in the top level if we only need it in src/ or test/ etc.

[petebacondarwin]

@gkalpak - in that case we need dgeni to create and provide such a file for every example that contains e2e tests.

[gkalpak]

Why is that ? Can't we just put the required globals in a parent directory's .jshintrc ?

[petebacondarwin]

OK, so I forgot that the e2e tests all go in their own folder.
The relevant folders we have are:

docs
 - js
 - examples
 - ptore2e

So we should copy a baseline .jshintrc in the docs folder, then perhaps a specialized one inside the ptoe2e.

[mgol]

So we should copy a baseline .jshintrc in the docs folder

We can extend a common one, no need to copy all the settings. :)

[lgalfaso]

Would it be possible to use $window in the cases that this is possible?

[mgol]

@lgalfaso It would but I'm pretty sure it'd break a lot of tests as people are mocking $window and not providing all necessary fields like setTimeout so I don't think that's something we should attempt in 1.5.x.

Also, we're currently providing globals window & document as parameters to the factory; we'd need to drop document from there and always use $window.document.

We might consider all that for 1.6 but I wanted to land something in 1.5.x and it seems too risky to me. WDYT?

[lgalfaso]

Fair point, let's keep window

On Friday, April 1, 2016, Michał Gołębiowski notifications@github.com
wrote:

@lgalfaso https://github.com/lgalfaso It would but I'm pretty sure it'd
break a lot of tests as people are mocking $window and not providing all
necessary fields like setTimeout so I don't think that's something we
should attempt in 1.5.x.

Also, we're currently providing globals window & document as parameters
to the factory

angular.js/src/angular.suffix

Line 5 in b54634d

})(window, document);

;
we'd need to drop document from there and always use $window.document.

We might consider all that for 1.6 but I wanted to land something in 1.5.x
and it seems too risky to me. WDYT?

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#14345 (comment)

[gkalpak]

@mgol, now that you mention it, couldn't we just change document to window.document in angular.suffix#L5 and leave it as just document in most other places ?

[mgol]

@gkalpak I've already talked with @petebacondarwin about that. :) I plan to apply this change.

[mgol]

So, I've been wondering about this change. Since I'm removing "browser": true I need to specify each browser global that should be used directly in .jshintrc. But that would mean I need to add document there as well. If we go this route, we might also want to add window.setTimeout & friends to the factory parameters in

angular.js/src/angular.suffix

Line 5 in b54634d

})(window, document);

but then they'd need to be added there as well... Perhaps we need one base .jshintrc for all source files that would declare these assumed browser globals? Or maybe we should just prefix all browser globals with window. and not do all that? Thoughts?

[petebacondarwin]

Don't we have that situation right now?
The .jshintrc in the src folder is responsible (really) for the ng folder source files and the top level source files such as Angular.js and jqLite.js. Then each of the modules has its own .jshintrc. Each of these extends the jshintrc-base file.

[mgol]

The .jshintrc-base file is a base for the whole project but I want the few browser globals to only be defined in code run in browsers, not e.g. Node. We could perhaps get a separate .jshintrc-base created under src/ that would extend the main base config & add those globals from the factory and then extend this file?

[mgol]

OTH, as @lgalfaso mentioned, ideally we'd use $window where appropriate but we can't do it that way before 1.6.0. But if we want to do it in the end, keeping anything except window in the factory seems backwards. So we should decide if we want to change it in 1.6.0 and if the answer's yes I'd remove document from the factory & just prefix every non-core JS browser global with window..

[petebacondarwin]

@mgol I think that your suggestion based on moving to using $window everywhere in 1.6 and prefixing all browser globals with window in 1.5 sounds reasonable. Do you want to have a go at that and see if it turns up any difficulties?

[mgol]

@petebacondarwin on it!

[mgol]

PR updated.

[mgol]

All tests have passed this time.

[petebacondarwin]

Sweet!

[petebacondarwin]

I don't think we need the callback here

[mgol]

Right; I forgot to remove it after backtracking from a previous idea. :)

[petebacondarwin]

I think that having undefined as a parameter, which is not assigned, is actually a clever way to ensure that we have the "real" undefined inside the closure. So I am for leaving this as a parameter.

[mgol]

What would it guard against, though? We've used to have the same parameter in jQuery but we removed it; if someone created a variable undefined that is not equal to undefined, basically everything would be broken.

[mgol]

IOW, shadowning undefined with sth else is more or less equivalent to shadowing any other builtin like Object, Array, Object.prototype methods etc. There are lots of ways in which someone can create a broken environment in which Angular breaks. I don't think it buys us much to defend just against shadowing undefined and it's impossible to guard against everything.

[petebacondarwin]

var old_undefined = undefined;
undefined = {};
function moo(undefined) {
  console.log(undefined === old_undefined);
}
moo();

[mgol]

I know what it does. :) What I'm saying is that it doesn't really buy us much; there are thousands other APIs that, if messed with, will break Angular and we don't protect against such changes. Moreover, I think it's more likely that someone will break Object.prototype for us than that they'll shadow undefined. I feel this undefined parameter is only providing a false sense of security.

[petebacondarwin]

It saves us from using void 0 everywhere, no?
I agree it doesn't save us from the other stuff, but we do have various bits of defensive code in place in the case that people do override parts of the Object.prototype.
What is the benefit in removing it?

[mgol]

It saves us from using void 0 everywhere, no?

I'd just rely on the undefined from the outer scope. Note that it's not even possible in ES5 to overwrite undefined, it's immutable even in sloppy mode (the only difference is that in strict mode trying to overwrite undefined throws while in sloppy mode it's just a noop). The only way this could backfire is if Angular was loaded not via a regular script tag but wrapped in a separate closure which shadowed undefined. But that requires modifying the source and if someone does that we've already lost the battle.

I agree it doesn't save us from the other stuff, but we do have various bits of defensive code in place in the case that people do override parts of the Object.prototype.

Since the global undefined is immutable if Angular is loaded normally so that its undefined points to the global one no one is able to modify that; shadowing is also impossible after the fact.

What is the benefit in removing it?

There is no huge benefit, perhaps a tiny size decrease. If you feel strongly about it, I'll restore it. :) I just think it doesn't really solve any problem.

[petebacondarwin]

OK, you convinced me :-)

[petebacondarwin]

OK, LGTM - please merge

[gkalpak]

👍

Regarding the using $window in 1.6.x, won't that break lots of tests relying on a mocked $window ?

[mgol]

@gkalpak #14345 (comment) :P

That's why I didn't want to land it for 1.5. As for 1.6, we can still discuss.