-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Calculate classpath using tools.deps and provide nvd-clojure as a regular -X function? #166
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @ivarref, thank you for a sensible PR!
I'm aware of this technique and it is indirectly mentioned in the docs.
However, in principle I do not wish to support it.
For instance, how do you guarantee that users will specify :replace-deps
instead of :extra-deps
? Same for :replace-paths
.
And how do you guarantee that having tools.deps as a dependency does not alter nvd-clojure's transitive dependency tree?
That kind of reasoning lead me to support first just one way to run this for clojure
users, and later a Tools offering.
The Tools offering is highly idiomatic and reusable. The other one is a bit more surprising, but I'd love for people to see that a single-file directory and a just-data, tiny deps.edn are extremely cheap things to have.
Both techniques allow us maintainers to discard whole categories of bugs.
Last but not least, probably there's nothing stopping you from distributing your own program somewhere and compose it with nvd-clojure
. Simply keep in mind that should you encounter a bug, it should be reproducible with one of the officially supported methods.
Cheers - V
(let [{:keys [root-edn user-edn project-edn]} (deps/find-edn-maps "deps.edn") | ||
master-edn (deps/merge-edns [root-edn user-edn project-edn]) | ||
aliases (or aliases []) | ||
combined-aliases (deps/combine-aliases master-edn aliases) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section, although tiny, represents a duplication of what CLI clojure
usage does internally.
Having that duplication of knowledge represents a surface area for bugs/misunderstandings that would not otherwise exist.
...I'm aware that this reasoning might be considered overly cautious in 9 out of 10 projects, but nvd-clojure is the one-in-ten project that does deserve squeezing the last drop of correctness.
I'd want the project to guarantee that it's doing what it says it does - our users deserve no less, if we're promising security.
Thanks for the thoughtful response @vemv !
The deps.edn file can be read and verified that no
It's possible to inspect this. I pushed a namespace for this:
We can see that introducing tools.deps does alter the tree, bumping
I suppose it also would be possible to call make_classpath2 directly. All that said, I get the impression that you've made up your mind about this, and that is perfectly fine. Did any of the above change your mind? If not I'm happy to discard the pull request. If you are now more convinced than before that this is a good idea, I could try:
Let me know what you think. |
I'll make a separate post as I've learned more about tools.deps today (thanks to a colleague). First it seems that My project's deps.edn can then be like this:
Clojure CLI does the right thing regardless if you use |
PS: If it's decided that it's OK to include tools.deps, it is also possible to print a dependency tree with highlighted problematic dependencies. I've done some work in that direction at the following repo: https://github.com/ivarref/finddep Best regards |
Thanks for the ping! I'll get back to this soon. I'm not sure I'll be convinced but I'll try to give it a read open-mindedly. Cheers - V |
Hi @vemv (and others)
And thanks for a great project!
I'm wondering if it is worthwhile to support calculating the classpath using tools.deps, thus avoiding the need for an extra script.
With the changes in this pull request, adding the following alias to an existing project:
enables to execute the nvd check using simply
clojure -X:nvd-check
.I've verified that the new code in
nvd.task
produces identical classpath to the output ofclojure -Spath
.(There could of course be something else I've missed, I'm not a classpath and/or tools.deps expert or anything like that.)
What do you think?
Thanks and kind regards.