-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Workspace dependencies #10306
Comments
There are several potential strategies for workspace dependenices
For me, putting only duplicated dependencies in as workspace dependencies just seems like a source of churn as that is dependent on the current implementation of your code base and can change. |
While I agree with most of arguments, I'm still not sure about this part:
Sure it can cause some friction, but it is mostly the same as adding new and removing unused dependencies because of changes in the implementation. Personally I'm thinking about putting all dependencies in the workspace config file, but it is still feels strange in cases if a dependency is used only once. Especially if is a wrapper of some kind and other workspace crates uses underlying dependency through this wrapper. |
It is a couple extra steps
btw rust-lang/cargo#10608 might be of interest for exploring what the |
I agree with the concerns above but OTOH, updating a dependency and make sure you sync versions (especially important if you share data-structures) is much easier, and updating deps is more frequent than adding new ones, especially in a big repo. |
We have a monorepo and want to manage all dependencies centrally like we do for many other languages we support. A linter like this would be immensely helpful. Seems an EarlyLintPass check could do this: https://doc.rust-lang.org/nightly/nightly-rustc/rustc_lint/trait.EarlyLintPass.html#method.check_crate Path dependencies should be allowed, but all version and repo dependencies should be defined in a workspace. |
To clarify, I'm suggesting the focus should be on centralizing all dependencies, not just duplicated. Maybe path dependencies can be a config field on top of that. I think the case for linting only duplicates is small and we shouldn't be driving people to do that by making it the only lint. In defining a lint for workspace dependencies, we'd need to decide how to handle two dependencies with the same name, because of different version requirements. It should emit but not be machine applicable (ie no Also, machine applicable changes should only consolidate the source. Unsure if it should |
Yep. That's what I want, too. When possible in our supported languages' package managers, we want central oversight and management e.g., separate CODEOWNERS entries for files/directories used for central package management - not just for security, but also to help watch for unnecessary version bumps so we maintain the lowest possible dependencies in some cases e.g., nuget.
In our case, we don't want that but I can appreciate some might. Perhaps a linter option? I don't particularly care if it's opt-in or -out. Could you clarify the third paragraph? I'm afraid I don't follow. |
More so, the lint can't suggest an automatic fix because
Now to what should or shouldn't be suggested. With workspace dependencies, we took a layered config approach where we support merging two different dependency tables. This allows you to centrally say that a feature should be enabled and all packages that reference your workspace dependency get it enabled. There are times where there are requirements that drive a feature to be enabled across your entire workspace but I feel that isn't so often the case and the implementation just happens to need the two features. Centralizing that implementation detail couples things together, causing churn and makes it harder to audit what features are enabled that don't have to be. This came up when we were considering the ability to specify which dependencies are public and which are private. For API stability, it is best to be minimal about what you declare to be public. For that reason, we decided to not make the The main reason for sharing features in a workspace dependency as a poor man's "workspace hack" (if not familiar with that term, feel free to skip this section). I say poor man's because feature unification is still dependent on what dependencies exist in each package so a workspace hack should still be used if desired. |
Interesting. A quick search yields a lot of links to https://docs.rs/cargo-hakari/latest/cargo_hakari/about/index.html. Think that sums it up? For our case, I highly doubt we'll run into that problem, but I appreciate trying to account for it in a linter. I agree we can't really fix it - and I'm wondering if we can even completely fix the general "put your dependencies in the workspace and inherit" since we only likely have access to the package manifest - but we could certainly warn on it, sort of like, "hey, this might be a mistake". People could suppress it if that's what they intended. Thoughts? |
I think an opt-in package-scoped lint that emits on non-workspace sources for package dependencies in an explicit I don't know about clippy's internals but I would hope it can be machine applicable and I would suggest the following behavior:
My hope/expectation is that if two workspace members have duplicated dependencies, I would suggest treating I would also suggest a workspace-scope lint that emits whenever non-source information is in |
Just because it will probably be easier to get right initially (not that it's too hard later), I'm waffling on a name. Given we want to allow workspace and package dependencies now, seems a lint name needs to reflect that workspace dependencies are required. Looking at similar lints in https://rust-lang.github.io/rust-clippy/master/index.html, maybe Also thinking this sounds more like a |
I think (cargo as a group name seems weird to me since thats cross-cutting and clippy aims for one group per lint iirc) |
Thanks. I'll look into those. I did start implementing one as a cargo/ function only to realize that I could see if cargo maintainers would be open to exposing this information within the |
No idea whats idiomatic within clippy as I'm familiar with the cargo side. I would not expect to add these implementation details to |
What it does
I'm not sure if it is a Clippy responsibility, but I think it would be nice to suggest to use "workspace dependencies" if some library is used in multiple workspace crates.
Perhaps the opposite changes can be suggested if a dependency is used only once or less than some threshold value, though this logic should probably be a separate lint. Ideally both values should be configurable.
Lint Name
workspace_dependencies
Category
pedantic
Advantage
Drawbacks
The only disadvantage I can see is that such lint can be noisy for small workspaces, so it probably should be disabled by default.
Example
I don't think this example is needed, but nevertheless:
Could be written as:
The text was updated successfully, but these errors were encountered: