Fix for #322 #323
Fix for #322 #323
Conversation
|
Hi @matthewdavidson thanks for the PR. I agree about your proposal. Summarising, I would be happy if both component and registry maintainer declare "lodash" as dependency, and then server.js is able to require anything that matches "lodash" or "lodash/anything" or "lodash/anything/anything(etc)...". |
matthewdavidson
force-pushed
the
require-nested-paths-fix
branch
from
32d4f38
to
952ea1a
Compare
|
Apologies for the delay - I've updated the PR.
|
There was a problem hiding this comment.
I think all looks good excellent!
I still would like 2 little changes:
- A little cleanup on the npm-shrinkwrap (see inline comment)
- I see there are quite substantial changes on the dependencies management and lack of acceptance tests on that side. To improve that, I created another PR (Acceptance extra test #334) - so I would like that to be merged first so that rebasing this would run that test too.
| "version": "2.0.1", | ||
| "from": "require-package-name@latest", | ||
| "resolved": "https://registry.npmjs.org/require-package-name/-/require-package-name-2.0.1.tgz" | ||
| }, |
There was a problem hiding this comment.
Hi, many things have changed here but for the sake of this PR I would prefer to have only this five lines added here.
To summarise, usage of npm-shrinkwrap is not ideal and the only reason for having it at the moment is to lock a couple of sub-dependencies to versions that are safe (so that security checks are all green) - until we pay technical dept and upgrade them on separate PRs (jade to pug, express@4) - so that security checks can go green without overrides again (and we can get rid of shrinkrap).
So, for this PR, can I ask you to undo your changes to this file (probably done by automatically re-generating the shrinkrap on top of the package) and just manually add the require-package-name stuff?
There was a problem hiding this comment.
Done (i think).
There was a problem hiding this comment.
Thanks, can you just pull in the latest master so we can get that extra test ;)
… against dependency whitelist
matthewdavidson
force-pushed
the
require-nested-paths-fix
branch
from
63fccb4
to
b87b888
Compare
|
Thanks for taking care of this @matthewdavidson - just published this to a new version |
|
👍 🎉 |
This PR is by no means complete - I've spent a bit of time familiarising myself with the codebase and this is my quick hack to get things working. However as a result I have some observations...
Whilst I guess it's relatively uncommon, lodash is a good example of a package that exposes entry points multiple levels deep such as
lodash/fp/objectorlodash/fp/curryN. The method currently used to resolve packages - by reading the componentspackage.json- wont be enough to future proof this use case as it's not feasible to statically analyse the package for all of the possible entry points (at n levels of nesting).An alternative approach would be to refactor the
require-wrapperto pass any paths through torequireas long as they match dependencies that are listed in the componentspackage.jsonas well as conforming to the registries whitelist of dependencies.@matteofigus thoughts?