Bump underscore from 1.12.0 to 1.12.1

[dependabot]

Bumps underscore from 1.12.0 to 1.12.1.

Commits

• c627e38 Mention CVE-2021-23358 in code, test and documentation (#2915)
• c9e803e Add diff and docs to the 1.12.1 change log entry
• 0c20985 Restore comments from 7e89b79f95e7b
• bf5a0ed Merge branch 'template-variable-parameter'
• 7e3d404 Update annotated sources and minified bundles for 1.12.1
• 5343fbc Add version 1.12.1 to the documentation
• 44df929 Bump the version to 1.12.1
• 7e89b79 Un-document the fix for #2911 for the time being
• 4c73526 Fix #2911
• ef646cc Reflect real issue of #2911 in test from #2912
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @nextcloud-command.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[nextcloud-bot]

@dependabot merge

[skjnldsv]

@dependabot rebase

[nextcloud-bot]

@dependabot merge

[skjnldsv]

Breaks the tests for some reason 🤔

[juliusknorr]

Looks like jashkenas/underscore#2918

[nextcloud-bot]

@dependabot merge

[nextcloud-bot]

@dependabot merge

[skjnldsv]

Breaks the tests for some reason

@MichaIng let's pause this upgrade until investigation

#27279 (comment)

[nextcloud-command]

@dependabot merge

[skjnldsv]

@MichaIng let's pause this upgrade until investigation

[MichaIng]

I'm trying to understand the underlying issue:

• The failing tests seem to be about browser window resize events.
• When the window is resized, some functions are triggered, like additional elements shown or hidden or moved.
• As during resizing e.g. via non atomic mouse drag, the browser triggers the event very repeatedly, it is not always desired to have the functions being called on each event, but at best only once after the resizing has been completed, to avoid overhead.
• To achieve this, the actual function calls are wrapped into debounce, which delays them until a certain time after the last debounce call, hence the event must not have been called for a certain time for the functions to be called.
• In tests, to avoid an unnecessary delay and to avoid trying to check a state while the actual function is still being delayed by debounce, the involved timer is mocked, which basically eliminates the delay, so the actual function is called immediately and the state hence can be checked immediately?
• And such a mocked timer cannot be used anymore with the changed debounce implementation of underscore 1.12.1.

Taken the above is correct, I see two three solutions:

1. We do not test whether resizing has the desired effect, but we only test whether calling the actual function(s) has the desired effect. Of course this means that we do not test whether resizing really calls debounce and whether the latter really calls our functions, but probably it is an acceptable compromise, given that the underscore library and its debounce function themselves are tested by their developers.
2. We add a sleep after the resize event to assure the debounce timer elapsed and the function calls have hence been done, before checking the result. At least for resizing events, I guess we talk about <<1 second, so nothing that would slow down tests in any significant way, given that some take up to 30 minutes, have 120 seconds timeouts for certain state changes etc. This of course demands that we know that the resizing during the test is an atomic step, calling debounce once only, or otherwise that we know for sure the maximum delay it can have during the test.
3. We check the result in a loop with a timeout, like some drone tests do (though some of them still regularly fail for some reason and delay the tests significantly indeed).

[dependabot]

A newer version of underscore exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

[MichaIng]

@dependabot recreate

[nextcloud-command]

@dependabot merge

[dependabot]

One of your CI runs failed on this pull request, so Dependabot won't merge it.

Dependabot will still automatically merge this pull request if you amend it and your tests pass.

[MichaIng]

/compile amend /

[skjnldsv]

fixed by #30020

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.