-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TSLint: no-implicit-dependencies should be enabled #25
Comments
@alcuadrado Hmm, since this didn't happen (as far as I am aware) during releases in the recent past and at the same time has somewhat heavy implications on the practicality of things, I wonder if it is really worth the introduction? |
Oh, I don't think there's a big risk of this happening, as dependencies in EthereumJS aren't frequently changed (which is great IMO). It's a nice-to-have, and a good (but somewhat tedious) task for someone getting into EthereumJS, so I thought about creating this issue. |
We're more exposed to this risk on the VM monorepo (related: ethereumjs/ethereumjs-monorepo#730). I'd like to have this set up some point in time. |
@evertonfraga I added it in 780a088 |
So for what solution do we go here regarding the initial thread on what @alcuadrado proposed? |
(I never completely got the "dangerous" part from 1. and 2. TBH, would be glad if someone could expand on that) |
There are some techniques to simplify the overall dependency tree for monorepos.
An example of this setup is: // <root>/package.json
{ …
"devDependencies": {
"chai": "latest"
}
} // packages/account/package.json
{ …
"devDependencies": {}
} // packages/account/test/index.js
const chai = require('chai') Due to how module resolution work in node (recursively up the directory tree), this will run without issues. And if one publishes a library with that setup, no pandas would die. Now, the danger lies if we do that same thing for a proper // <root>/package.json
{ …
"dependencies": {
"bn.js": "latest"
}
} // packages/account/package.json
{ …
"dependencies": {} 🚫🚫🚫
} // packages/account/index.js
const BN = require('bn.js') The code will run, tests will pass. But the bundled package will not contain
|
@alcuadrado did I miss anything? |
Nop, I've been following this, and I agree with what you said. Using a monorepo increases the chance of using an undeclared dependency, so IMO also this linter rule's importance. |
Some context: Yesterday Web3.js released a broken package. The problem was that one of its modules was doing a
require
of a dependency of a devDependency. I took some time to see if this could accidentally happen in EthereumJS and couldn't find anything preventing it.I think we should enable
tslint
'sno-implicit-dependencies
rule, that prevents this from happening.It has a small annoyance though. For it to actually work, it should only consider
dependencies
andpeerDependencies
as valid, so anything installed indevDependencies
that is used in a test will be flagged as an error if we use the sametslint
config for tests.There are two ways to solve that:
tslint
to also considerdevDependencies
as installed. This is pretty dangerous.chai
, it may be ok, as nobody would usechai
outside of a test.// ts-lint-disable-next-line no-implicit-dependencies
before any conflicting require in the test files.This is a great first issue, as the change is very small, but it exposes you to the release process of this library. We need to merge it here, release a new
ethereumjs-config
version, and update it in the other projects.The text was updated successfully, but these errors were encountered: