Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assorted fixes #499

Merged
merged 1 commit into from
Jun 16, 2020
Merged

Assorted fixes #499

merged 1 commit into from
Jun 16, 2020

Conversation

FredKSchott
Copy link
Owner

@FredKSchott FredKSchott commented Jun 16, 2020
edited

Hope you don't mind that these are all together.

  • Added: if (!depManifestLoc || !depManifest) {
    • More correct, and better for TypeScript usage
  • Added: loc: require.resolve(...
    • Turns out we were relying on Rollup to do this for us, and sometimes didn't pass full file paths (if foundEntrypoint was a partial like index, coming from from "module": "index" in a package.json).
  • Removed: autoDetectNamedExports() auto-detection
  • Added: (Is it installed?) message
    • This came from a user reported issue, where Snowpack said "cannot resolve "some-package" and the user thought that it was a problem with Snowpack, and not the fact that the package was a peer dependency that hadn't been installed properly.

@FredKSchott FredKSchott requested a review from drwpow June 16, 2020 06:07
@FredKSchott FredKSchott requested a review from a team as a code owner June 16, 2020 06:07
@stramel
Copy link
Contributor

stramel commented Jun 16, 2020

After publishing this fix, we should probably deprecate the versions that include that vulnerability?

@FredKSchott
Copy link
Owner Author

Which vuln, our use of autoDetectNamedExports? This was only a concern for our CDN's usage of Snowpack, where would be running on many, untrusted packages. For the general user, the removed code was no different than require()-ing a dependency that you'd chosen to use in your project.

@stramel
Copy link
Contributor

stramel commented Jun 16, 2020

Yeah, I was referring to #488. Just making sure we cover our bases. I guess it sounded worse than it is when skimming the issue you wrote.

drwpow
drwpow approved these changes Jun 16, 2020
View reviewed changes
Copy link
Collaborator

@drwpow drwpow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! These are all small enough 1 PR makes sense.

@FredKSchott FredKSchott merged commit 6b1eba6 into master Jun 16, 2020
@FredKSchott FredKSchott deleted the assorted-fixes branch June 16, 2020 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drwpow drwpow drwpow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Run autoDetectExports in a sandbox
3 participants
@FredKSchott @stramel @drwpow