*Camunda Platform 8, our cloud-native solution for process orchestration, launched in April 2022. Images and supporting documentation in this post may reflect an earlier version of our cloud and software solutions.
Update 05/04/2022 :
This change is being pushed back to the June alpha release and in a Patch release in May for EE customers. This doesn’t affect end users as no relevant changes have been made within XLTS that we consider necessary for the security or stability of the web apps.
Searching for a Solution
We started investigating the options over a year ago. At first, we thought perhaps it was time to rebuild all the web apps in a more modern framework. So, we gave it a try.
A team at Camunda worked for a month to assess the potential of migrating Cockpit to the React.js framework. Afterward, we determined it could take us two years to do a complete migration solely for Cockpit. Considering we had one year before support ran out, we needed to identify a faster solution. An interesting fact about the work done during that month is that, in preparation for it, we managed to produce a brand new plugin system which we now use in Cockpit. You can read more about it in this blog post.
We then addressed the following two questions:
- At Camunda, could we fork AngularJS and provide security patches on our own?
- Can we find a company that’ll support the framework for us?
We spent some time looking into AngularJS ourselves to see if we had the bandwidth and expertise to fix any problems that came up in the framework. In short, we didn’t. Not being experts in the framework itself makes it very difficult for us to offer guarantees on security patches. It’s also important to acknowledge that our developers’ time is best spent working on Camunda, not maintaining an adjacent technology. Therefore, we couldn’t justify doing that.
We decided the best approach was to look for some way to continue with AngularJS and find a partner to offer the support we needed. This meant finding an organization that could help us ensure AngularJS remained secure after it lost support from its original maintainer. So, that’s what we did.
XLTS It Is
XLTS is a fork of AngularJS that’s maintained by xlts.dev. By switching out the current AngularJS dependencies with XLTS, we can ensure that people using the web apps can continue to do so for years to come. Unlike AngularJS, which has an open source MIT license, XLTS has a proprietary license, meaning the source code is not freely available.
There are several effects from implementing this approach, and it’s important to know the things that will be completely unaffected as well as what will change for some people:
- First and foremost, Camunda Platform 7 Community Edition and Enterprise Edition users shouldn’t be concerned about unsupported frameworks like AngularJS existing in their stack. By adding XLTS to the web apps, we can guarantee all of the people using the Camunda web apps will be supported for years to come.
- The end-users of the Camunda web apps will feel no effect of this change at all. By continuing support for the existing framework, anyone currently using Cockpit, Tasklist, or Admin can expect a flawless transition.
- The core component of Camunda Platform 7 and Camunda Engine will go completely unaffected. Thanks to the decoupling of front-end components, the engine won’t even know there’s been a change.
- If you’re redistributing Camunda yourself, you’re not affected. You can still wrap up the web apps as you did before without any changes.
- The new XLTS libraries that’ll be added in our upcoming 7.17 release are licensed under a proprietary license [the XLTS license] and thus Camunda users need to be aware of the terms of the XLTS license. The most important thing is the new libraries are bundled with the Camunda web applications, and the XLTS license will not permit the disassembly of these libraries into source code. Camunda source code is still available via GitHub – no changes there. If you build from that source code, it’ll compile with the original, out-of-support, AngularJS components; not the new XLTS components. Details of this will be added to our documentation.
- For members of the community using the Camunda Platform 7 Enterprise Edition, when 7.17 is released later this year, a back-ported fix will be released for 7.14, 7.15, and 7.16. This will add XLTS to the web apps to ensure you have a secure front-end application.
- This approach gives Camunda more flexibility in prototyping other possible solutions if we decide to move forward with a different solution to the AngularJS problem.
Moving Things Along for You
In the end, we’ve managed to remove a potential problem with our web apps and produce a solution that works for all Camunda users.