-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Only Registry Dependencies #593
base: main
Are you sure you want to change the base?
RFC: Only Registry Dependencies #593
Conversation
Does this cover only direct dependencies? What about transitives? |
also, it's not about tarballs, it's about "from a registry" - users don't think about tarballs, and a tarball URL from a registry should be disallowed too. |
Feedback from the meeting for updating this RFC
Perhaps in the future as another RFC, we can leverage cc: @ljharb / @darcyclarke to keep me honest ^ 🙏 |
re 4, |
Not sure if this needs to be explicitly stated, but since I just recently had to do the work internally - the warning should also apply to |
Ok, think I covered the feedback here in a follow up revision
For the next meeting, would just like to take another pass at the naming of the flag (
Happy to make any updates to the RFC title, filename, etc if it's ok to have another chat on the name and thanks again for all the help and feedback on this so far! 🙌 |
Thoughts on FWIW, this conversation is why I think we should consider following a well known path for this problem. We would need to have discussions like this for each of these new additions and they are gated by a central authority. The |
Action Items / Takeaways
For testing
|
Had some time to play around with the above and got For example, was able to single out the eslint dependency as such from this package.json {
"name": "npm-query-tarball-test",
"dependencies": {
"@babel/cli": "^7.4.0",
"eslint": "git+https://github.com/eslint/eslint.git"
}
} % npm query ":root > *[resolved^="git"]"
[
{
"version": "8.20.0",
"resolved": "git+ssh://[email protected]/eslint/eslint.git#0bcd2255c40b5c115a95181864776b0dd456c2dc",
"license": "MIT",
"dependencies": {
"@eslint/eslintrc": "^1.3.0",
"@humanwhocodes/config-array": "^0.9.2",
"ajv": "^6.10.0",
"chalk": "^4.0.0",
"cross-spawn": "^7.0.2",
"debug": "^4.3.2",
"doctrine": "^3.0.0",
"escape-string-regexp": "^4.0.0",
"eslint-scope": "^7.1.1",
"eslint-utils": "^3.0.0",
"eslint-visitor-keys": "^3.3.0",
"espree": "^9.3.2",
"esquery": "^1.4.0",
"esutils": "^2.0.2",
"fast-deep-equal": "^3.1.3",
"file-entry-cache": "^6.0.1",
"functional-red-black-tree": "^1.0.1",
"glob-parent": "^6.0.1",
"globals": "^13.15.0",
"ignore": "^5.2.0",
"import-fresh": "^3.0.0",
"imurmurhash": "^0.1.4",
"is-glob": "^4.0.0",
"js-yaml": "^4.1.0",
"json-stable-stringify-without-jsonify": "^1.0.1",
"levn": "^0.4.1",
"lodash.merge": "^4.6.2",
"minimatch": "^3.1.2",
"natural-compare": "^1.4.0",
"optionator": "^0.9.1",
"regexpp": "^3.2.0",
"strip-ansi": "^6.0.1",
"strip-json-comments": "^3.1.0",
"text-table": "^0.2.0",
"v8-compile-cache": "^2.0.3"
},
"bin": {
"eslint": "bin/eslint.js"
},
"engines": {
"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
},
"funding": {
"url": "https://opencollective.com/eslint"
},
"name": "eslint",
"_id": "[email protected]",
"pkgid": "[email protected]",
"location": "node_modules/eslint",
"path": "/Users/owenbuckley/Workspace/github/repos/npm-query-tarball-test/node_modules/eslint",
"realpath": "/Users/owenbuckley/Workspace/github/repos/npm-query-tarball-test/node_modules/eslint",
"from": [
"",
"node_modules/eslint-utils"
],
"to": [
"node_modules/@eslint/eslintrc",
"node_modules/@humanwhocodes/config-array",
"node_modules/ajv",
"node_modules/eslint/node_modules/chalk",
"node_modules/cross-spawn",
"node_modules/debug",
"node_modules/doctrine",
"node_modules/eslint/node_modules/escape-string-regexp",
"node_modules/eslint-scope",
"node_modules/eslint-utils",
"node_modules/eslint-visitor-keys",
"node_modules/espree",
"node_modules/esquery",
"node_modules/esutils",
"node_modules/fast-deep-equal",
"node_modules/file-entry-cache",
"node_modules/functional-red-black-tree",
"node_modules/eslint/node_modules/glob-parent",
"node_modules/eslint/node_modules/globals",
"node_modules/ignore",
"node_modules/import-fresh",
"node_modules/imurmurhash",
"node_modules/is-glob",
"node_modules/js-yaml",
"node_modules/json-stable-stringify-without-jsonify",
"node_modules/levn",
"node_modules/lodash.merge",
"node_modules/minimatch",
"node_modules/natural-compare",
"node_modules/optionator",
"node_modules/regexpp",
"node_modules/strip-ansi",
"node_modules/strip-json-comments",
"node_modules/text-table",
"node_modules/v8-compile-cache"
],
"dev": false,
"inBundle": false
}
] So will just keep tinkering around with the |
From the call, got tipped off to these The takeaway was that the only types that should be initially blocked are example: npm query ":root > *:not(:type(git,remote))" So, should have enough info now to get this RFC updated accordingly. 👍 |
Ok, new round of feedback applied! 🙌
Question
|
|
OK, query updated! Think this might be good to go! 🙇 |
@@ -0,0 +1,167 @@ | |||
### References | |||
relates to #581 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this line can be removed prior to ratifying / accepting the RFC
relates to #581 |
|
||
When auditing dependencies with `npm audit`, the npm CLI should have a mechanism for communicating (and optionally failing on) dependencies that _do not_ come from a registry, like a [git URL](https://docs.npmjs.com/cli/v7/configuring-npm/package-json#git-urls-as-dependencies). | ||
|
||
> _**Note**: this RFC has a hard dependency on [`npm query`](https://github.com/npm/cli/pull/5000) landing to support its implementation._ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that npm query
has already landed I believe this note can be removed from the RFC text
> _**Note**: this RFC has a hard dependency on [`npm query`](https://github.com/npm/cli/pull/5000) landing to support its implementation._ |
|
||
To demonstrate, if you see [this demo repo](https://github.com/thescientist13/npm-query-registry-only-deps-rfc-demo) and follow the steps to `npm link` with a version that has `npm query`, you will see output for **eslint** but not **babel**, which is the desired outcome in this situation given that _package.json_ has eslint as a `git` dependency. | ||
|
||
## Unresolved Questions and Bikeshedding |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section is usually removed prior to ratifying / accepting, are all these questions answered?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I believe everything here is covered, so will clean this up now.
Ok, all notes and bikeshedding cleaned up! |
Here's the overall plan of record as I understand it:
Once command-specific config lands, each audit type will be configurable:
This will allow users to set whatever level of strictness they want, separately for both audit and install, while simultaneously allowing npm maximal freedom to change the defaults in semver-majors however they like - because users who dislike the defaults can just configure it in advance. |
Now that npm query can be told to exit uncleanly if any results come back with |
An example in the docs of how to do just that, especially in npmrc, would be amazing - and it’d still be nice and ergonomic (and help message that npm is encouraging this restriction) to have a single cli flag that wraps all the pieces. |
When installing dependencies, the npm CLI should have a mechanism for communicating (and optionally failing on) dependencies that do not come from a registry.
References
related to #581