[x] [dash-dangerously-set-inner-html mixed React 15 and 16 support](https://github.com/plotly/dash-core/issues/21)
[x] [serve files locally by default](https://github.com/plotly/dash-core/issues/10)
SyntaxHighlighter component entirely[x] [Version lock Dash repos](https://github.com/plotly/dash-core/issues/24)
[x] [validation against real world applications](https://github.com/plotly/dash-core/issues/22)
serve_locally=True by default now so this is somewhat less important.This is the "Proposed Breaking Changes" issue as per the "Breaking Changes" process outlined in https://github.com/plotly/dash/issues/458.
The version 1.0.0 ofdash,dash-renderer,dash-core-components, anddash-html-componentswill be compatible with each other and will contain at least one breaking change across the libraries.
We will publish the breaking changes no earlier than 2 weeks after we have publicly committed to the proposal in this issue.
react-dom from v15.6.2 to v16.6.1serve_locally = True by defaultreact) and react-dom from v15.6.2 to v16.6.1Technical Background
Dash's front-end is built on top of React.js. This includes:
dash-renderer: The package that renders components, makes API calls to Dash's backend, and manages updatesdash-core-components and dash-html-components, are React components, rendered by dash-renderer.dash-renderer provides the React libraries (as script tags) - individual component libraries do not have React.js bundled in their libraries (React is an "implicit" dependency). So, to update React, we only need to update the React and react-dom libraries provided in dash-renderer. The component authors are responsible for ensuring that their components will work in this new version of React.
Pull Requests that make these changes
Reason for Upgrade
dash-core-components are simply wrappers around 3rd party components in the React community. Without upgrading React, we can't upgrade our components to the latest versions of the React components, missing out on bug fixes and features.dash-renderer can only be implemented with features available in React 16. In particular, our Dash Dev Tools project that propagates error messages from the browser console and the backend to the app's UI.Implications for the Dash Developer
dash, dash-renderer, dash-core-components, or dash-html-components.Implications for the Dash Component Author
PropTypes import.javascript
import React, {PropTypes} from 'react';
javascript
import React from 'react';
import PropTypes from 'prop-types';
dash-renderer by setting:import dash_renderer
dash_renderer._set_react_version('16.2.0')
We should update
dash-rendererwith an option to try out React 16.6.1.
Implications for Documentation
Our plugin documentation and the dash-component-boilerplate will need to be updated to highlight this change.
Implications for Community Forum
The following threads mention React and will need to be updated:
I searched "React 16" and "React 15" in the community forum to find these threads.
Will this break or change in the future? If so, how can we prepare?
Yes. React 17 will come out next year with its own set of breaking changes. Component authors will need to upgrade our components to be React 17 compatible and we will need to update dash-renderer with the new version of React.
For this to be a smooth transition, we should:
dash-renderer with dash_renderer._set_react_version('17')Can this be done in a backwards compatible way instead?
No. There is only one React version that is included in Dash and that version needs to be upgraded.
Are there any other risks to consider?
Some Dash component authors in the community may not upgrade their components to be React 16 incompatible (because they didn't get the notifications, they don't have the time, they don't have the expertise, etc).
If certain popular components aren't updated, then the Dash dev team (or other community members) could make a (temporary) fork of the components that is compatible.
We will rely on users to report these issues via the Dash Community Forum.
Beyond the communication policy outlined in #458, are there any other ways that we can inform our users about this change?
Can we automate the upgrade process for our users?
Not really. We could make PRs into the open source libraries for certain simple, common fixes (like the proptypes import).
Is there anything to consider with respect to compatibility between components?
Yes. The "1.0" series of dash-renderer will only be compatible with the "1.0" series of the main component libraries (dash-core-components, dash-html-components). Technically, dash will not be affected and the "1.0" series of dash may be compatible with the "0" series of the other libraries and vice versa. However, this will not be guaranteed. We will gaurentee the compatibility of these packages within a major version series.
If something breaks, can we inform users through an error message in any way?
I don't think so. We will be relying on React to provide helpful error messages if a component is incompatible. Perhaps we could test this out and create community forum posts with the error messages in advance of this change.
Are there any open items?
dash-renderer needs to be updated with a way for users to try out React 16.6.1 (here: https://github.com/plotly/dash-renderer/blob/5e4d5629eb03a68bdbefd650d2f64a4ba9c48529/dash_renderer/__init__.py#L16-L38)serve_locally = True by defaultPull Requests that make these changes
https://github.com/plotly/dash/pull/722
Reason for Upgrade
By default, the JavaScript and CSS for Dash's component suites are served from the unpkg CDN (the same CDN that the React.js recommends). The user can serve these packages locally, from their Python site-packages folder (the folder that contains the installed packages for a given Python installation) by setting:
app.scripts.config.serve_locally = True
app.css.config.serve_locally = True
Serving the assets from the CDN may be faster than serving the assets from Flask (although this has not been rigorously tested). However, there are several issues:
serve_locally = True, the app will silently fail to load.serve_locally = True. While dash-core-components, dash-html-components, and dash-table will all be published to NPM, not all packages will be. For example, packages that are built by organizations and kept private or packages that are in development (via dash-component-boilerplate).Implications for the Dash Developer
serve_locally=False is used (implicitly set as the default or explicitly set), serve_locally=True should work as well.url_base_pathname, requests_pathname_prefix, and/or routes_pathname_prefix), then the Dash JavaScript and CSS bundles will be routed through that prefix as well. This is already supported and handled automatically by Dash.site-packages folders. Users using Percy can fix this by explicitly setting serve_locally=False. This will affect a small number of users.serve_locally = False has been the default, we aren't fully aware of how many users will have this issue.Implications for the Dash Component Author
Less frustration! serve_locally=True needs to be set when developing a component locally (since it isn't published to NPM while developing) and it's easy to forget this.
With serve_locally=True, Dash Component authors that publish public packages may forget to test their packages with serve_locally=False. If they follow the instructions from the boilerplate, then it "should work" but they may forget or misconfigure the necessary references to extra CSS files.
Implications for Documentation
Implications for Community Forum
serve_locally setting. We should update the most popular threads to inform users that they don't need to set this anymore:Will this break or change in the future? If so, how can we prepare?
No. Once serve_locally = True should be the default for here on out.
Can this be done in a backwards compatible way instead?
No.
Are there any other risks to consider?
There is a risk that serving the JS and CSS files from site-packages doesn't work in some environments due to unknown reasons. As always, we will have to rely on user's bug reports in the community forum and GitHub.
Beyond the communication policy outlined in #458, are there any other ways
that we can inform our users about this change?
No.
Can we automate the upgrade process for our users?
No.
Is there anything to consider with respect to compatibility between
components?
No. All component libraries should work with serve_locally = False.
If something breaks, can we inform users through an error message in any
way?
Perhaps.
dash==0.30.0, we silenced flask's route logging for 200 level requests, do we still log 4xx or 5xx errors in the terminal? Should we?Are there any open items?
dash https://github.com/plotly/dash/pull/722dash-docs https://github.com/plotly/dash-docs/pull/500Pull Requests that make these changes
https://github.com/plotly/dash/pull/442
Reason for Upgrade
Currently, when serve_locally = False (the current default but soon it won't be, see above), Dash loads component's CSS and JavaScript from the unpkg CDN which is untrusted. This change would add a resource integrity check to the script tags, allowing the browser to reject the resource if it was modified in any way.
~This is a breaking change as it is uncompatible with older versions of dash-core-components. In our "1.0 Series" of Dash, we will ensure the compatibility of versions across our Dash libraries.~
No longer a breaking change since we version-lock the dash core packages.
Implications for the Dash Developer
serve_locally = False will be more secure as long as you are on a browser that supports subresource integrity checks (not supported in IE and Edge).
Implications for the Dash Component Author
Component authors will have to ensure that the files that they are uploading to NPM are unmodified before or after they publish to PyPI as the resource integrity check is computed from the local file.
Implications for Documentation
We will need to document this in our plugin guide: https://github.com/plotly/dash-component-boilerplate
Implications for Community Forum
None.
Will this break or change in the future? If so, how can we prepare?
I don't think so.
Can this be done in a backwards compatible way instead?
~No. Currently, this change breaks old versions of dash-core-components (which had files that were modified in between the NPM and PyPI publish sets) but we can't modify packages that are already published.~
Version locking has rendered this obsolete.
Are there any other risks to consider?
I don't think so.
Beyond the communication policy outlined in #458, are there any other ways
that we can inform our users about this change?
I don't think so.
Can we automate the upgrade process for our users?
Perhaps the publish script in dash-component-boilerplate could ensure that the bundles aren't rebuilt between publishing to NPM and PyPI?
Is there anything to consider with respect to compatibility between
components?
No
If something breaks, can we inform users through an error message in any
way?
If the resource integrity check fails, the user will see an error in their browser console. Perhaps we could include this in our "Dash Debugging Guide", in particular the section about network requests.
Are there any open items?
dash-component-boilerplate ensure that the bundles aren't rebuilt between publishing to NPM and PyPI?Pull Requests that make these changes
NA
Reason for Upgrade
Historically, the undo/redo buttons were a 'feature' that I included during the initial development of Dash. I wanted to ensure that the Dash architecture was amenable to an undo/redo functionality, similar to what's available in other BI solutions. Including them by default in Dash was for my own development sanity: is dash capable of performing undo/redo?
It's a neat feature and it demonstrated how powerful Dash's state-driven architecture was. However, it was never thoughtfully designed and in many cases, it isn't that useful for end-users. In fact, "is it possible to hide the floating toolbar" is one of the most visited community forum topics.
While it's possible to remove the buttons through CSS, it requires some googling to learn how and an extra CSS file. Dash is productive: the default behaviour shouldn't require users to create more than a single file in their project.
So, I propose that we remove them by default and we add an extra config flag to allow users to turn them back on: app = dash.Dash(__name__, show_undo_redo=True).
Implications for the Dash Developer
If users really liked this feature, then they'll have to explicitly turn it back on.
Implications for the Dash Component Author
None.
Implications for Documentation
dash.Dash() constructor, so it should be visible in the users IDE via the docstringdash.Dash settings. We've grouped these settings across different pages corresponding to their feature (e.g. dev tools settings would be in a debugging chapter, hot reloading settings are in the CSS chapter). Perhaps its time to create a central dash.Dash API reference page.Implications for Community Forum
Will this break or change in the future? If so, how can we prepare?
I don't think so. In the future, I could imagine that these buttons could be more configurable so that users could include them in a more thoughtful position in their app (e.g. in a centralized header or footer). Perhaps they would be dcc.Undo and dcc.Redo components. Setting show_undo_redo = False should not affect this.
Can this be done in a backwards compatible way instead?
No.
Are there any other risks to consider?
I don't think so.
Beyond the communication policy outlined in #458, are there any other ways
that we can inform our users about this change?
We should create a new community forum topic outlining the change and specifying how turn this back on.
Can we automate the upgrade process for our users?
No.
Is there anything to consider with respect to compatibility between
components?
No.
If something breaks, can we inform users through an error message in any
way?
No.
Are there any open items?
For more details, see https://github.com/plotly/dash/issues/468
A few technical issues need to be resolved in https://github.com/plotly/dash/issues/468 before we can consider folding this into the 1.0.0 release. If these issues can't be resolved in a timely matter, then we will likely push this fix to the 2.0.0 series.
Thanks for reading 鉂わ笍 As always, we welcome your feedback in this issue or privately via a message on the dash community forum: https://community.plot.ly/u/chriddyp/
Breaking Change 3 - Resource integrity checks for CDN resources
I found the implementation I made in #442 to be a little too dangerous, requires too much attention especially considering third parties components libraries. I'd like instead to add an option in the new cli #451 to generate the hashes and include them as a field in the dist. If the component doesn't have the field we just not include it in the tag formatting. That wouldn't be breaking change.
It doesn't work if the component libraries aren't published to NPM.
Just remove the external_url from the dist and it will serve it locally even if it's not set. There is a flag (publish_on_npm) in the boilerplate to include it or not. Default is True.
Also, when debug=True and dev_tools_serve_dev_bundles=True dash will serve locally by default.
https://github.com/plotly/dash/blob/dcd0f41504821ab7466983b5cd00bff009ca5911/dash/dash.py#L1170-L1172
If a flask route fails, then we could log it in the terminal. In dash==0.30.0, we silenced flask's route logging for 200 level requests, do we still log 4xx or 5xx errors in the terminal? Should we?
500 errors are mostly caused by users exception in routes, the stacktrace/error will still be displayed because the logging level is ERROR.
Something we could do instead of silencing the whole logging is to add a handler/filter and only emit the logs we want.
I think we should also consider removing animate=True from dcc.Graph in favor of the new transitions API - https://community.plot.ly/t/exploring-a-transitions-api-for-dcc-graph/15468
Perhaps we can remove events here as well?
https://github.com/plotly/dash/blob/5ba0bc25448227f33559a71adb4746ebb09bc349/dash/dash.py#L619-L624
Maybe we can delete this too.
With the Dash assets machinery now in place, we could also drop the static_folder kwarg from the Dash __init__ method. It's now redundant, and if someone really needs it, they can pass in their own Flask instance configured accordingly.
This is just to voice support for the move to react 16+. In a current project we would like to make use of some Kendo React components within dash, however the react version is currently a blocker for some of this (as at least some of the Kendo components require react 16+). I imagine this scenario could effect others doing similar things.
Is there an estimated release date for react 16 support as yet? or somewhere to track this release?
Could you confirm the react-markdown component will be updated so that tables will be properly rendered?
@happyshows We will bump react-markdown to 4.x
@happyshows Fwiw, react-markdown has been bumped up to 4.x in Dash 0.40
Dash 1.0 has been released - the lead comment updated to match what we actually did and did not do of the items listed there. See https://dash.plot.ly/dash-1-0-migration or the changelog for a more complete list though, in particular the dash-table API changed substantially and this is not reflected here, also dcc.Markdown and dcc.SyntaxHighlighter were merged.
Most helpful comment
Perhaps we can remove events here as well?