-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci - install deps - limit install scripts to whitelist #7208
Conversation
Builds ready [bc45ed0]
|
Co-Authored-By: Mark Stacey <[email protected]>
aha test failures, thats more what I was expecting |
This seems pretty reasonable, though from the looks of CI there is at least one package missing from the list. I'm a bit concerned that it might be difficult to determine if we've missed one, as our test coverage does have some significant gaps. So it's possible we're missing an important build step that'll result in a subtle bug somewhere. I'm also a bit concerned about how we're to maintain this list over time. Maybe we could recursively scan all dependencies for build scripts, and compare it to the list we've manually built? Then there's the question of which scripts we do want to run. It's possible we have packages with optional scripts that we could just ignore. This package implemented something similar that stored the list in |
My first assumption is that nothing that ends up in the bundle actually requires a install script, unless someone is babel compiling at post-install time. My assumption is that its mostly for native deps (bindings to code that needs to be compiled, eg written in c or something) that are part of our build and test systems nice find with |
wrote a script, these ones have scripts
|
I'm so confused, my tool is reporting that |
oh hell, this is the default value for the install script |
for the second phase "build time", we could maybe use a nodejs loader but this suggests it only works with esm |
Builds ready [3428381]
|
surprised these weren't needed |
Added my utility script that shows what deps have install scripts. we only run a small subset of them
|
Builds ready [ddb1a25]
|
I don't expect it to need to change very often but as long as CI fails, the list should get updated. If it gets a bit stale, its not too bad, but currently will need some manual review. anyways im happy with this for now |
Builds ready [c9c69be]
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
* origin/develop: (56 commits) Add advanced setting to enable editing nonce on confirmation screens (MetaMask#7089) Add migration on 3box imports and remove feature flag (MetaMask#7209) ci - install deps - limit install scripts to whitelist (MetaMask#7208) Add a/b test for full screen transaction confirmations (MetaMask#7162) Update minimum Firefox verison to 56.0 (MetaMask#7213) mesh-testing - submit infura rpc requests to mesh-testing container (MetaMask#7031) obs-store/local-store should upgrade webextension error to real error (MetaMask#7207) sesify-viz - bump dep for visualization enhancement (MetaMask#7175) address book entries by chainId (MetaMask#7205) Optimize images only during production build (MetaMask#7194) Use common test build during CI (MetaMask#7196) Report missing `en` locale messages to Sentry (MetaMask#7197) Verify locales on CI (MetaMask#7199) updated ganache and addons-linter (MetaMask#7204) fixup! add user rejected errors add user rejected errors update json-rpc-engine use eth-json-rpc-errors Remove unused locale messages (MetaMask#7190) Remove unused components (MetaMask#7191) ...
moving in parallel to SESify/lavamoat, I'm doing some research to reduce our exposure to 3rd party code.
There's 3 main phases we need to concern ourselves with: