Relax our dependency criteria #1503
Conversation
cristiano-belloni
commented
Mar 24, 2022
•
cristiano-belloni
commented
- Allow devDependencies to be in the dependency manifest
- Prevent throwing when generating the manifest if there are transitive deps, show a warning that this will be an error in next major
🦋 Changeset detectedLatest commit: a1a2e8d The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
cristiano-belloni
changed the title
cristiano-belloni
requested review from
benpryke,
cangarugula,
LukeSheard and
steveukx
cristiano-belloni
force-pushed
the
feature/relax-get-dependencies
branch
from
56a1421 to
5732dff
Compare
| const rootPackageJsonDependencies = rootManifest.dependencies || {}; | ||
| const targetPackageJsonDependencies = targetManifest.dependencies || {}; | ||
| const rootPackageJsonDevDependencies = rootManifest.devDependencies || {}; | ||
| const targetPackageJsonDevDependencies = targetManifest.devDependencies || {}; |
There was a problem hiding this comment.
nit: as an option for making this a bit less verbose:
const deps = Object.assign(Object.create(null).
targetManifest.devDependencies,
rootManifest.devDependencies,
targetManifest.dependencies,
rootManifest.dependencies,
);
// ...
manifest[depName] = deps[depName];
if (manifest[depName] === undefined) {
logger.error(...);
}There was a problem hiding this comment.
Done with
const deps = {
...rootManifest.dependencies,
...targetManifest.dependencies,
...rootManifest.devDependencies,
...targetManifest.devDependencies,
};
|
Are there any tests of the |
We have snapshot tests for the dependency manifest, which pass without modifications because we just relaxed our criteria (so there's no change). We don't have any test of the build command failing because of some deps not in package.json (but we wouldn't need them now, since with this PR it would never fail). |
| rootPackageJsonDependencies[depName] ?? | ||
| targetPackageJsonDevDependencies[depName] ?? | ||
| rootPackageJsonDevDependencies[depName]; | ||
| const depVersion = deps[depName]; |
There was a problem hiding this comment.
This is a potential prototype pollution - if the depName happens to be toString then it will be a property of deps whether it's specified or not.
There was a problem hiding this comment.
Agreed: using Object.assign(Object.create(null), ...) with a type assertion
