-
Notifications
You must be signed in to change notification settings - Fork 607
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[rush] Can we eliminate Rush's dependency on the "keytar" package? #2492
Comments
This would be hugely appreciated. 🙏🏼 This also has broken the build for us on Netlify |
The upstream issue is Azure/azure-sdk-for-js#13950 |
Another option: @mikeharder suggested that maybe we could use the browser-specific package @azure/storage-blob which is smaller than |
I've run into this as well while trying to install Rush into a Docker image. No matter what I try, keytar throws permissions errors and refuses to build correctly. Can be repro'd with a pretty simple Docker image:
Output includes these stubborn errors:
Making it easy for Rush to be included in Docker images would definitely be a plus, so dropping keytar (if possible) sounds good to me. |
The upstream issue has changed to: Azure/azure-sdk-for-js#14346 |
Oh BTW, I did finally figure out how to "fix" the install issue, though it's probably not great:
The |
Tagging this as a Tagging this as |
My docker builds work just fine, but keytar dependency does throw a warning. |
I can confirm what @ujwal-setlur is reporting. Despite all the errors and warnings,
|
Yeah, |
It does seem like Rush gets installed, but do all the warnings/errors mean that keytar wasn't installed? If that's the case, then the cloud build cache wouldn't work, right? Still seems like a problem if all the dependencies can't be installed correctly. |
True, |
Looks like we have a possible solution: PR #2647 |
This fix was released with Rush 5.46.0 |
Tested and works great for us! I no longer have to specify |
Summary
In #2467 (comment) , @HipsterZipster wrote:
Details
I agree that Node.js native dependencies are not very desirable. Besides the security concerns with native code (which cannot be audited like .js files), there's also the problem that maintainers may not provide prebuilt binaries for newer Node.js releases as we encountered in #2467.
Up until recently, Rush has had no native dependencies. The keytar dependency was introduced recently by the new cloud build cache feature, for the purpose of authenticating with Azure.
Some questions:
@azure/identity
either? That package facilitates REST calls, but could we use a different API to make the REST calls, thus eliminating these dependencies?@azure/identity
depends on 124 other packages comprising 17.3 MB and 2,518 files. So it would be generally beneficial to eliminate it from our install footprint.Standard questions
@microsoft/rush
globally installed version?node -v
)?CC @iclanton
The text was updated successfully, but these errors were encountered: