First of all, let me be very clear that this post is not a rant. I am very well aware of the fact that sometimes maintainers simply don’t have time to look into all issues and PRs, so that is not what this is about.
This post is only about how app developers should deal with situations where there is a lack of progress on the relevant Nextcloud repositories, to the extent that it is more or less blocking further progress for the app developer (be it due to some bug, needed feature, dependency or what not).
One example is this PR in the
user_saml app: Bump firebase/php-jwt from 4.0.0 to 6.3.1 in /3rdparty by dependabot[bot] · Pull Request #667 · nextcloud/user_saml · GitHub - It raises the version of the php-jwt library from 4.0 to 6.3, which is a very good idea. Worth noting is that it supersedes a previous PR on the very same topic, namely Bump firebase/php-jwt from 4.0.0 to 6.3.0 in /3rdparty by dependabot[bot] · Pull Request #635 · nextcloud/user_saml · GitHub .
A few things worth noting:
- The current/old version of php-jwt in the app is 4.0. This version is from mid 2016, which is extremely old (7.5 years). Since then, there has been numerous important updates and fixes to the library.
- The superseded PR was opened in july 2022, so even though the current PR is just about 1.5 months old, the matter of getting the php-jwt library up to date is been ongoing for six months.
The reasons why this (example) PR not being merged is a problem are mainly the following:
- When this app (and also another one, in which the very same problem exists, use of a very very old php-jwt version) loads, it populates the namespace for php-jwt with this old 4.0 version.
- This makes it so that when another app loads, which in it has its own newer version of php-jwt, it doesn’t load the newer version of php-jwt.
- This results in the other app using the old and wrong version of php-jwt, which has a different API, which means that the other app just breaks.
- As we all know, there’s just one instance of the same namespace in PHP, so there’s no way to work around this nicely. I already tried changing the order in which the apps are listed, but it didn’t matter (but even if it did make the newer php-jwt version load instead of the old one, that would instead break the apps wanting the old version of the library, so meh).
So in summary; Because this
user_saml app (and at least one other, namely the onlyoffice one) uses a 7.5 years old library, other applications are unable to work. For this reason we either need to work around the namespace issue, or simply get these apps not use insanely old library versions. Of course the best solution would be that all apps stay up to date with current libraries.
Now, the question becomes; How should app developers deal with this in practice? Surely the main ingredient is to have some patience, we can’t expect the Nextcloud app maintainers to review and finally merge PRs straight away. But at some point we either have to do some ugly hacky workarounds, or keep nagging the maintainers to get their attention and reviews. However, the latter is not very fun for either part, and nor does it help very much (generally speaking it just increases maintainer fatigue).
What are other people’s views on this? What are the Nextcloud maintainers view on this (perhaps @Daphne knows)? How would they want us to act in situations like this?
I’d like to point out that the above is just one single example. There are plenty of blocking issues and PRs. Some of them get attention after a while of bumping, some others don’t. It’s just a general problem