alert users that depend on plotly-latest that the website is using latest v1 not the latest

[archmoj]

@archmoj we really need to mark plotly-latest with a console warning.

@BPowell76 plotly-latest is the end of the v1.x line. Starting in v2.0 we stopped updating this so that the major update and following updates don't accidentally break existing projects. Please update your project to use a specific version from the CDN.

Originally posted by @alexcjohnson in #1794

[archmoj]

@gvwilson This is an issue that IMHO require input from @ndrezn and @emilykl in terms of existing apps.
I appreciate it if you please add it to the list of items we discuss in our upcoming libraries meetings.
Thank you.

[ndrezn]

We could probably add a note to our documentation but I agree with Alex that in terms of how this should materialize in the product, we should issue a patch release on top of plotly-latest adding a console warning that this is 1.x and not actually latest.

[alexcjohnson]

I don’t think it even needs a new release (in fact it should not be a new release, anyone using 1.x explicitly should see no change), just a new file uploaded to plotly-latest that adds a console warning to the existing file

[archmoj]

Only overwriting the CDN files may/will potentially break websites that load the source file using a hash for extra security. Please see https://content-security-policy.com/hash/

Instead IMHO we should release a plotly.js v1 patch to properly address this issue.

[alexcjohnson]

But plotly-latest changed many times in the past and we never worried about the hash changing, why would it be different now? If you're using an unversioned file like plotly-latest you expect the file and its hash to change from time to time.

Anyway if you really want to create a new release in the 1.x branch for this, how do we ensure that anyone loading that new release explicitly will not see this warning, only people loading plotly-latest will see it?

[ndrezn]

Yeah I tend to agree with Alex -- in Python this would probably be issued as a post release but to my understanding there's not really an equivalent in JS. It seems reasonable just to push an extra file with the console warning to the CDN.

I think it's fine not to issue a new release and to just add the warning straight to the CDN.

[archmoj]

@ndrezn What should the console warning contain exactly?

[ndrezn]

Something along the lines of:

Warning: You are using `plotly-latest`, which provides the December 2020 release of Plotly v1.58.4. You can see our recommended version using the CDN from https://plotly.com/javascript/getting-started/#plotlyjs-cdn 

@LiamConnors do you have opinions on this?

[alexcjohnson]

I like that message, though I'd tweak it a little. It's v1.58.5, which was released July 2021, but that's just a security patch. The latest feature release on the 1.x branch is from Dec 2020 but both are so old I'd stick with the actual 1.58.5 date. And I'd emphasize that despite the name it's no longer the latest. So something like:

Warning: You are using `plotly-latest`, which is obsolete.
It contains the last version 1.x build of plotly.js (v1.58.5), released in July 2021.
To use the CDN with plotly.js v2 and higher, you must specify an exact version.
See our recommended version using the CDN at https://plotly.com/javascript/getting-started/#plotlyjs-cdn