Parcel: Disabling autoinstall globally

Created on 29 Sep 2018  路  6Comments  路  Source: parcel-bundler/parcel

馃檵 feature request

Add the possibility to set --no-autoinstall globally for every parcel call using an env variable (e.g. PARCEL_NO_AUTOINSTALL).

馃拋 Possible Solution

Make it so. I can submit a PR if you would accept this feature.

馃敠 Context

The autoinstall feature might be great for beginners, but today it worked against me two times in a row:

  • I switched over from React to Preact. First, I uninstalled react and installed the preact package to then start parcel and see where I need to change the imports. But instead, parcel reinstalled react.
  • I imported "style.css" instead of "./style.css", and parcel installed the "style.css" package.

I don't want to add the --no-autoinstall flag to every project of mine and having this flag set implicitly (so not specified in the package.json) doesn't change the build output.

Feature Autoinstall
Source
picture mischnic
👍5

Most helpful comment

My 2c: installing anything without the user's express knowledge and consent is a huge security risk which will end up compromising someone's system and bringing this project into disrepute.

While this workaround is well-meaning, and arguably better than the status quo, it's still a sticking plaster, which legitimizes the current (mis)behavior rather than fixing the underlying problem: it should be opt in rather than opt out.

picture chocolateboy on 14 Oct 2018
👍198

All 6 comments

It should be fairly easy, feel free to open a PR. I'm personally not a huge fan of making this stuff more complex, but I see the value in it.

DeMoorJasper picture DeMoorJasper on 29 Sep 2018

PR for this if anyone has a chance: https://github.com/parcel-bundler/parcel/pull/2130

cacheflow picture cacheflow on 14 Oct 2018

My 2c: installing anything without the user's express knowledge and consent is a huge security risk which will end up compromising someone's system and bringing this project into disrepute.

While this workaround is well-meaning, and arguably better than the status quo, it's still a sticking plaster, which legitimizes the current (mis)behavior rather than fixing the underlying problem: it should be opt in rather than opt out.

chocolateboy picture chocolateboy on 14 Oct 2018
👍198

@chocolateboy i agree about installing code dependencies, but not about the parsers and such parcel internally uses to process assets as it removes some of the complexity without the need of including them all as parcel dependencies

Sent with GitHawk

DeMoorJasper picture DeMoorJasper on 14 Oct 2018

Hypothetical example for the security risk: With import React from 'reac';, parcel installs that dependency (and runs it's postinstall scripts). Without autoinstall, I would have realised my typo while typing yarn add reac.

mischnic picture mischnic on 15 Oct 2018
👍6

Related: https://github.com/zkat/npx/issues/198

chocolateboy picture chocolateboy on 27 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

humphd picture humphd  路  3Comments
urbanhop picture urbanhop  路  3Comments
jsftw86 picture jsftw86  路  3Comments
algebraic-brain picture algebraic-brain  路  3Comments
Niggler picture Niggler  路  3Comments