You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm a package author, and I want to explicitly list the files that my users are allowed to require. I want to do this in order to prevent them from accessing my private files.
I'm a web architect, and I want a way to import packages installed through Yarn. This currently isn't possible because the Node resolution would require http requests to convert the lodash bare specifier into lodash/index.js.
Describe the solution you'd like
Packages would have access to a new entryPoints field that would list the files that users are allowed to require. If the user makes a require call to an unlisted file the PnP resolver would throw an exception.
As a side effect, because entryPoints would list all entry points, we would be able to simplify the Node folder & extension resolution by checking which entry exists within the array rather than by querying the file system - yielding unprecedented runtime resolution speed and opening up the possibility to use the Node resolution within browsers (since no http lookup would be required anymore).
Describe the drawbacks of your solution
Since this would affect how the .pnp.js file is generated, it would require us to add an additional field into the Package type (which would then have to be serialized in the lockfile).
Describe alternatives you've considered
The entryPoints could potentially be a more complex feature that would map a require name to a require path (for example "corejs/es5": "corejs/builds/es5.js"). This doesn't look a good idea as it would not work under different package managers that wouldn't use this standard.
Describe the user story
I'm a package author, and I want to explicitly list the files that my users are allowed to require. I want to do this in order to prevent them from accessing my private files.
I'm a web architect, and I want a way to import packages installed through Yarn. This currently isn't possible because the Node resolution would require http requests to convert the
lodash
bare specifier intolodash/index.js
.Describe the solution you'd like
Packages would have access to a new
entryPoints
field that would list the files that users are allowed to require. If the user makes arequire
call to an unlisted file the PnP resolver would throw an exception.As a side effect, because
entryPoints
would list all entry points, we would be able to simplify the Node folder & extension resolution by checking which entry exists within the array rather than by querying the file system - yielding unprecedented runtime resolution speed and opening up the possibility to use the Node resolution within browsers (since no http lookup would be required anymore).Describe the drawbacks of your solution
Since this would affect how the
.pnp.js
file is generated, it would require us to add an additional field into thePackage
type (which would then have to be serialized in the lockfile).Describe alternatives you've considered
The
entryPoints
could potentially be a more complex feature that would map a require name to a require path (for example"corejs/es5": "corejs/builds/es5.js"
). This doesn't look a good idea as it would not work under different package managers that wouldn't use this standard.Additional context
First referenced in yarnpkg/yarn#6945
The text was updated successfully, but these errors were encountered: