Skip to content

Relax our dependency criteria#1503

Merged
cristiano-belloni merged 6 commits intomainfrom
feature/relax-get-dependencies
Mar 25, 2022
Merged

Relax our dependency criteria#1503
cristiano-belloni merged 6 commits intomainfrom
feature/relax-get-dependencies

Conversation

@cristiano-belloni
Copy link
Contributor

@cristiano-belloni cristiano-belloni commented Mar 24, 2022
edited
Loading

  • Allow devDependencies to be in the dependency manifest
  • Prevent throwing when generating the manifest if there are transitive deps, show a warning that this will be an error in next major

@changeset-bot
Copy link

changeset-bot bot commented Mar 24, 2022
edited
Loading

🦋 Changeset detected

Latest commit: a1a2e8d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
modular-scripts Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coveralls
Copy link
Collaborator

coveralls commented Mar 24, 2022
edited
Loading

Coverage Status

Coverage increased (+0.05%) to 28.742% when pulling a1a2e8d on feature/relax-get-dependencies into 178796b on main.

@cristiano-belloni cristiano-belloni changed the title relax our dependency criteria Relax our dependency criteria Mar 24, 2022
@cristiano-belloni cristiano-belloni force-pushed the feature/relax-get-dependencies branch from 56a1421 to 5732dff Compare March 24, 2022 15:05
steveukx
steveukx reviewed Mar 24, 2022
View reviewed changes
packages/modular-scripts/src/utils/getPackageDependencies.ts Outdated
const rootPackageJsonDependencies = rootManifest.dependencies || {};
const targetPackageJsonDependencies = targetManifest.dependencies || {};
const rootPackageJsonDevDependencies = rootManifest.devDependencies || {};
const targetPackageJsonDevDependencies = targetManifest.devDependencies || {};
Copy link
Contributor

@steveukx steveukx Mar 24, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: as an option for making this a bit less verbose:

const deps = Object.assign(Object.create(null).
  targetManifest.devDependencies,
  rootManifest.devDependencies, 
  targetManifest.dependencies, 
  rootManifest.dependencies, 
);

// ...
manifest[depName] = deps[depName];
if (manifest[depName] === undefined) {
  logger.error(...);
}

Copy link
Contributor Author

@cristiano-belloni cristiano-belloni Mar 24, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done with

const deps = {
    ...rootManifest.dependencies,
    ...targetManifest.dependencies,
    ...rootManifest.devDependencies,
    ...targetManifest.devDependencies,
  };

@steveukx
Copy link
Contributor

steveukx commented Mar 24, 2022

Are there any tests of the build command that could cover this change?

@cristiano-belloni
Copy link
Contributor Author

cristiano-belloni commented Mar 24, 2022
edited
Loading

Are there any tests of the build command that could cover this change?

We have snapshot tests for the dependency manifest, which pass without modifications because we just relaxed our criteria (so there's no change). We don't have any test of the build command failing because of some deps not in package.json (but we wouldn't need them now, since with this PR it would never fail).

steveukx
steveukx reviewed Mar 24, 2022
View reviewed changes
packages/modular-scripts/src/utils/getPackageDependencies.ts
rootPackageJsonDependencies[depName] ??
targetPackageJsonDevDependencies[depName] ??
rootPackageJsonDevDependencies[depName];
const depVersion = deps[depName];
Copy link
Contributor

@steveukx steveukx Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a potential prototype pollution - if the depName happens to be toString then it will be a property of deps whether it's specified or not.

Copy link
Contributor Author

@cristiano-belloni cristiano-belloni Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed: using Object.assign(Object.create(null), ...) with a type assertion

@cristiano-belloni cristiano-belloni merged commit 1a39571 into main Mar 25, 2022
@cristiano-belloni cristiano-belloni deleted the feature/relax-get-dependencies branch March 25, 2022 10:59
@github-actions github-actions bot mentioned this pull request Mar 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benpryke benpryke Awaiting requested review from benpryke

@cangarugula cangarugula Awaiting requested review from cangarugula

@LukeSheard LukeSheard Awaiting requested review from LukeSheard

1 more reviewer

@steveukx steveukx steveukx approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cristiano-belloni @coveralls @steveukx