-
Notifications
You must be signed in to change notification settings - Fork 682
Make Nuclide play well with projects using different versions of Flow #570
Comments
Thank you!
I understand what you are concerned about. I'd like to use
But I understand a security issue for Nuclide supports this style. Also, I think some other editor plugins(ESLint etc..) have the same issue.
👍 for this. It would be nice that the script is able to install(uninstall) We generally use different versions of languages and libraries by each projects. |
Thanks for the write up.
This is already how other plugins like ESLint work. So I think it should be fine to expect people to enable this explicitly. Another solution is to show a banner before starting flow, and the user can enable flow from node_modules for that project knowingly.
That sounds interesting. How does installing multiple flow versions work with the wrapper?
How will this work? Will Nuclide has to bundle every flow version available? |
|
sounds like bundling the binaries will be much better :) I usually use a local npm caching tool like |
What if there were a published list of checksums for all the Flow binaries somewhere that Nuclide could trust? The biggest downside would be that Nuclide would have to checksum the binary each time, but maybe it's worth seeing how much that actually matters in practice? |
(I just noticed that ^ this is basically what @zertosh already said... :p ) |
Nuclide could copy it to a temp directory and checksum it once. But yes, it's necessary to have @satya164 regarding bundling Flow with Nuclide, we could either ship binaries for all platforms of all supported Flow versions (probably not doable), or download them on the fly. Since this code lives inside of Nuclide and not in the project being opened, there are not security concerns if Nuclide itself downloads it. However that does have the problems that @zertosh pointed out, such as not using npm's proxies. Anyway I will start by implementing a setting that allows Nuclide to look for |
Summary: This makes the various parts easier to reason about and paves the way for the setting to use the `flow-bin` copy of Flow (#570), since we can have a separate path to Flow for each root. One unpleasant side effect of this change is that we are now caching the pathToFlow setting, when we weren't before. That means that after you update the setting, it can take up to 30 seconds to take effect. I will explore options to improve this but I don't think it should block this diff. This kills a lot of code which I will remove in a separate diff. Reviewed By: mostafaeweda Differential Revision: D3555803 fbshipit-source-id: e56cae562ae8f5f522aba568fe867fbba751b80c
Summary: As noted in the setting description and in #570, enabling this setting is a security risk unless you fully trust all of the projects that you open. However, it can be very useful if you are willing to only open projects you trust. It can't be the default, but there has been enough demand for such a setting that it was worth implementing. Reviewed By: zertosh Differential Revision: D3590454 fbshipit-source-id: e9b391459ccded64b98d976bf22b43ba28033910
Summary: We want to support Flow outline view outside of Flow root, and even for untitled files. Obviously, we have to use the system-wide Flow for that. But we also want to support Flow outline view if the only Flow you have is a local `flow-bin` installation (assuming you have the setting to use `flow-bin` checked). See #570 Reviewed By: zertosh Differential Revision: D3593787 fbshipit-source-id: 8e11b3156e9db379026b66650c904d61ddd7f493
Is there any workaround available for this? It seems to be a show stopper for actually using this unless everything you work on uses the same global version of flow. |
Related: the current documentation regarding this topic is a little confusing. E.g. https://github.com/facebook/flow#installing-flow As it is, it's easy for new users to end up going in circles for a bit. At the very least maybe something should be added to https://nuclide.io/docs/help/troubleshooting/#flow-issues ? |
Bumping this issue because this documentation loop (mentioned by @mrienstra) still exists: |
There have been lots of questions about this recently so I wanted to take the time to explain where we are.
The Problem
Many projects specify a Flow version in their
.flowconfig
file. This is useful because Flow upgrades usually introduce breaking changes, so projects can upgrade their Flow version at their own pace. Flow will refuse to start if its version does not match the version specified in the.flowconfig
(Note: Nuclide will currently fail silently if this is the case -- I intend to have it pop up a message but I haven't gotten around to it yet).This works fairly well within Facebook because we deploy a bunch of recent Flow binaries and call them through a wrapper script that first inspects the
.flowconfig
. So, you change the version in your.flowconfig
and everything Just Works™️, even if you are working on projects that have different Flow versions. However, currently folks external to Facebook are expected to manage their own Flow versions. Without this wrapper script, there will typically be just one system-wide Flow version installed, so you are out of luck if you want to use different versions of Flow with different projects.Potential Solutions
flow-bin
The Flow team publishes the
flow-bin
npm package every time they do a Flow release. You can use this to install Flow system-wide, or individual packages can add it as adevDependency
to have their own version of Flow set. Then, you can just run the binary insidenode_modules
.It would be trivial, from a technical perspective, to have Nuclide look inside
node_modules
for the copy of Flow installed byflow-bin
.Unfortunately, this is a glaring security vulnerability since Nuclide runs Flow all the time while you are browsing. So, just by downloading and browsing a malicious project, your machine will get completely owned. They could just have a repository with their code in
node_modules/bin/flow
or whatever the path is, and bam. Generally, people don't have the expectation that just browsing source code requires trust in the project they are looking at.I'd be willing to implement a setting to enable this (with a scary description so people know the risk they are taking on), if there is demand, but that only works for people who know to ask for it. It would be better to fix this issue for everyone.
Distribute something like our internal wrapper script
When you install Flow, we could include a bunch of versions and have a central script that looks at the
.flowconfig
and decides which binary to actually run. Then, Flow externally would behave exactly like Flow internally and things would basically just work. No modifications to Nuclide would be necessary, and this also has the advantage (over the option below) that you can run Flow from outside of Nuclide, from the command line (useful for a variety of reasons, including debugging Nuclide/Flow issues). However it has the disadvantage that you still have to manually install Flow in addition to NuclideBundle Flow with Nuclide
A few points about this:
Other than that, it's basically the same as above. Nuclide checks the
.flowconfig
for the right Flow version and then just runs it.cc @zertosh @jeffmo @peterhal @koba04 @satya164
Twitter exchange that prompted this writeup: https://twitter.com/natmote/status/749009001329807361
The text was updated successfully, but these errors were encountered: