Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CI check to ensure no devDependency is required in production #7796

Open
3 tasks done
mtrezza opened this issue Feb 6, 2022 · 5 comments
Open
3 tasks done

Add CI check to ensure no devDependency is required in production #7796

mtrezza opened this issue Feb 6, 2022 · 5 comments
Labels
type:ci CI related issue

Comments

@mtrezza
Copy link
Member

mtrezza commented Feb 6, 2022
edited
Loading

New Feature / Enhancement Checklist

Current Limitation

The CI currently installs all dependencies including devDependendies, which are required to run tests. Therefore, if a dependency is required for a production deployment, but has accidentally been added to devDependendies instead of dependendies, the CI cannot not detect that and Parse Server may crash in a production deployment.

Feature / Enhancement Description

Add CI check that ensures all dependencies that are required for a production deployment are added in under dependendies and none of the devDependendies is required.

Maybe a tool like https://www.npmjs.com/package/dependency-check can make this easy to implement.

Example Use Case

See issue #7786

Alternatives / Workarounds

  • manually ensure during review that prod dependency is not added to dev dependency
@parse-github-assistant
Copy link

parse-github-assistant bot commented Feb 6, 2022
edited
Loading

Thanks for opening this issue!

  • 🎉 We are excited about your ideas for improvement!

@mtrezza mtrezza added the type:ci CI related issue label Feb 6, 2022
@mtrezza mtrezza mentioned this issue Feb 6, 2022
Closed
4 tasks
@mtrezza mtrezza changed the title Add CI check to ensure no dev dependency is required for production Add CI check to ensure no devDependency is required for production Feb 6, 2022
@mtrezza mtrezza changed the title Add CI check to ensure no devDependency is required for production Add CI check to ensure no devDependency is required in production Feb 6, 2022
@Moumouls
Copy link
Member

Moumouls commented Feb 7, 2022

@mtrezza, I completely forgot that an eslint rule exists for this use case !

Eslint will also helps to warn the developer directly in the IDE

https://github.com/import-js/eslint-plugin-import/blob/main/docs/rules/no-extraneous-dependencies.md

@mtrezza
Copy link
Member Author

mtrezza commented Feb 7, 2022

Even better! I had a quick look but not sure how to set the rule options for our use case.

@Moumouls
Copy link
Member

Moumouls commented Feb 8, 2022
edited
Loading

for this eslint rule @mtrezza we need to exclude the spec folder, as the docs suggest, in our case this one should works

"import/no-extraneous-dependencies": ["error", {"devDependencies": ["spec/*.js"]}]

Then it should throw an error if we import a devDep anywhere in the project (or atleast src) exept in spec folder

EDIT: It will not cover missing peer dep in production usage, but in our case @apollo was already imported directly, eslint will be able to prevent the issue first. Also peerdeps in common use cases are also required directly in the project (like react, apollo) and common utils when you work with a specific technology. So i'm convinced that the eslint rule in 99% of the time will catch a missing prod peer dep.

@mtrezza
Copy link
Member Author

mtrezza commented Feb 8, 2022
edited
Loading

"import/no-extraneous-dependencies": ["error", {"devDependencies": ["spec/*.js"]}]

That looks good; and according to the docs it seems to consider import and require.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:ci CI related issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mtrezza @Moumouls