Ensuring Continuous Support of AngularJS in Camunda Platform 7.17

*Camunda Platform 8, our cloud-native solution for process orchestration, launched in April 2022. Images and supporting documentation in this post may reflect an earlier version of our cloud and software solutions.

Update 05/04/2022 :
This change is being pushed back to the June alpha release and in a Patch release in May for EE customers. This doesn’t affect end users as no relevant changes have been made within XLTS that we consider necessary for the security or stability of the web apps.

Cockpit, Tasklist, and Admin are built on top of Camunda’s beloved open source process engine. These three web apps let users communicate with the engine to perform powerful actions or look at what’s happening in the engine. These three web apps are written in JavaScript with the AngularJS framework, a predecessor of the currently supported Angular framework. Support for this framework ended in December 2021. Therefore, all bugs and security flaws will remain unfixed. Rather than have our community suffer the fear of a security breach, we decided to look into the best ways to protect the integrity of the web apps for all users.

Searching for a Solution

We started investigating the options over a year ago. At first, we thought perhaps it was time to rebuild all the web apps in a more modern framework. So, we gave it a try. 

A team at Camunda worked for a month to assess the potential of migrating Cockpit to the React.js framework. Afterward, we determined it could take us two years to do a complete migration solely for Cockpit. Considering we had one year before support ran out, we needed to identify a faster solution. An interesting fact about the work done during that month is that, in preparation for it, we managed to produce a brand new plugin system which we now use in Cockpit. You can read more about it in this blog post.

We then addressed the following two questions: 

1. At Camunda, could we fork AngularJS and provide security patches on our own?
2. Can we find a company that’ll support the framework for us?

We spent some time looking into AngularJS ourselves to see if we had the bandwidth and expertise to fix any problems that came up in the framework. In short, we didn’t. Not being experts in the framework itself makes it very difficult for us to offer guarantees on security patches. It’s also important to acknowledge that our developers’ time is best spent working on Camunda, not maintaining an adjacent technology. Therefore, we couldn’t justify doing that.

We decided the best approach was to look for some way to continue with AngularJS and find a partner to offer the support we needed. This meant finding an organization that could help us ensure AngularJS remained secure after it lost support from its original maintainer. So, that’s what we did. 

XLTS It Is

XLTS is a fork of AngularJS that’s maintained by xlts.dev. By switching out the current AngularJS dependencies with XLTS, we can ensure that people using the web apps can continue to do so for years to come. Unlike AngularJS, which has an open source MIT license, XLTS has a proprietary license, meaning the source code is not freely available. 

There are several effects from implementing this approach, and it’s important to know the things that will be completely unaffected as well as what will change for some people:

1. First and foremost, Camunda Platform 7 Community Edition and Enterprise Edition users shouldn’t be concerned about unsupported frameworks like AngularJS existing in their stack. By adding XLTS to the web apps, we can guarantee all of the people using the Camunda web apps will be supported for years to come.
2. The end-users of the Camunda web apps will feel no effect of this change at all. By continuing support for the existing framework, anyone currently using Cockpit, Tasklist, or Admin can expect a flawless transition.
3. The core component of Camunda Platform 7 and Camunda Engine will go completely unaffected. Thanks to the decoupling of front-end components, the engine won’t even know there’s been a change.
4. If you’re redistributing Camunda yourself, you’re not affected. You can still wrap up the web apps as you did before without any changes. 
5. The new XLTS libraries that’ll be added in our upcoming 7.17 release are licensed under a proprietary license [the XLTS license] and thus Camunda users need to be aware of the terms of the XLTS license. The most important thing is the new libraries are bundled with the Camunda web applications, and the XLTS license will not permit the disassembly of these libraries into source code. Camunda source code is still available via GitHub – no changes there. If you build from that source code, it’ll compile with the original, out-of-support, AngularJS components; not the new XLTS components. Details of this will be added to our documentation.
6. For members of the community using the Camunda Platform 7 Enterprise Edition, when 7.17 is released later this year, a back-ported fix will be released for 7.14, 7.15, and 7.16. This will add XLTS to the web apps to ensure you have a secure front-end application.
7. This approach gives Camunda more flexibility in prototyping other possible solutions if we decide to move forward with a different solution to the AngularJS problem.

Moving Things Along for You

In the end, we’ve managed to remove a potential problem with our web apps and produce a solution that works for all Camunda users.