Sdk: ensure that packages meant for publishing do not have path or git dependencies

Created on 26 Oct 2020  路  8Comments  路  Source: dart-lang/sdk

Unless a package is marked publish_to: none, we should add a warning if there are any path or git dependencies in a pubspec.

Follow-up from: https://github.com/dart-lang/sdk/issues/43897#issuecomment-716467332.

/cc @jonasfj @sigurdm

analyzer-hint area-analyzer
Source
picture pq

Most helpful comment

Note.
path/git-dependencies are perfectly fine in dev_dependencies and dependency_overrides.

picture jonasfj on 28 Oct 2020
👍2

All 8 comments

What if there's no version field? Should we still warn?

pq picture pq on 26 Oct 2020

Hmm, I suppose we could do either:
(A) say that if there is no version field, that is equivalent to saying the package isn't meant for publishing; OR;
(B) say that if version field is missing, there should be a publish_to: none field.

Both of these options would be valid. But I suspect a lot of applications don't have neither version or publish_to: none. Hence, (A) might be preferable because it annoys as few users as possible.

Not having a version prevents you from publishing, pushing users to be overly explicit by making them add publish_to: none, just seems like extra work. If they try to publish, it'll certainly be obvious that they are missing a version field :)

jonasfj picture jonasfj on 27 Oct 2020
👍1

I prefer (A). It seems like a good default.

sigurdm picture sigurdm on 27 Oct 2020

Thanks!

I suspect some people will prefer the explicit approach while others will be satisfied w/ a missing version. (I, for one, prefer being explicit (B) but I tend to be a bit pedantic 馃槈.) For the purposes of the warning, I think we want to respect both flavors and can suggest either remedy in the warning documentation.

pq picture pq on 27 Oct 2020
👍1

By allowing a missing version to be a signal that the package isn't intended to be published we prevent the tool from catching a possible problem, but these checks are enabled by default, so we should aim for zero false positives. I would suggest that we go with (A).

For the purposes of the warning, I think we want to respect both flavors and can suggest either remedy in the warning documentation.

I'm not sure that we want to suggest removing version information as a remedy; it seems much better to add the publish_to: none.

bwilkerson picture bwilkerson on 27 Oct 2020
👍1

I'm not sure that we want to suggest removing version information as a remedy; it seems much better to add the publish_to: none.

That's a good point! :D

Especially because Flutter apps contains a version property in pubspec.yaml, which the application uses to communicate app version and build number for android/ios (or something like that).

jonasfj picture jonasfj on 27 Oct 2020

Ok, great. I think we've converged on a plan:

A pubspec containing path or git dependencies will get a warning if it contains a version but not publish_to: none. When we suggest a fix we will recommend adding publish_to: none.

pq picture pq on 27 Oct 2020
🚀1 👍1

Note.
path/git-dependencies are perfectly fine in dev_dependencies and dependency_overrides.

jonasfj picture jonasfj on 28 Oct 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

matanlurey picture matanlurey  路  3Comments
ranquild picture ranquild  路  3Comments
nex3 picture nex3  路  3Comments
DartBot picture DartBot  路  3Comments
55555Mohit55555 picture 55555Mohit55555  路  3Comments