Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update npm-packlist #11

Open
bluwy opened this issue Dec 18, 2022 · 6 comments
Open

Update npm-packlist #11

bluwy opened this issue Dec 18, 2022 · 6 comments
Labels
enhancement New feature or request

Comments

@bluwy
Copy link
Owner

bluwy commented Dec 18, 2022

npm v9 introduced a breaking change to npm-packlist (release notes). However yarn v3 and pnpm v7 have not adopted this yet.

This issue tracks when yarn and pnpm start moving towards the new pack logic before we update it.

@bluwy bluwy added the enhancement New feature or request label Dec 18, 2022
@bluwy
Copy link
Owner Author

bluwy commented Jun 11, 2024

inflight is now deprecated and would be good to bump this to prevent the warnings.

publint 0.2.8
└─┬ npm-packlist 5.1.3
  └─┬ glob 8.1.0
    └── inflight 1.0.6

@bluwy
Copy link
Owner Author

bluwy commented Jun 18, 2024

Thinking about this today, I think it's better to take a step back and not get involved by manually invoking packing. Different package managers have different ways of packing files and packing package.json, they can pack the publishConfig field differently too:

This means publint's current publishConfig detection is non-standard (follows pnpm).

Proposed solution

Create a new option:

pack: 'auto' | 'npm' | 'yarn' | 'pnpm' | { command: string } | { tarballPath: string }

auto is the default, which will find a lockfile locally to detect either 'npm' | 'yarn' | 'pnpm'. The command will be executed and output into an os temporary directory, which we'll unpack and then delete. If { command: string }, is passed, it'll run that pack command instead. If { tarballPath: string } is passed, it'll simply use that tarball.

After unpacking the tarball, the paths should be normalized to match the existing filesystem paths. The main data we need is really only the published package.json and the file paths packed. It's safe to assume package manager that change more than that?

@bluwy bluwy added future enhancement New feature or request but maybe for the future and removed enhancement New feature or request labels Jun 18, 2024
@charlyoleg2
Copy link

Would be great to update the dependency npm-packlist! I get 2 warn depreciated and 3 high vulnerabilities warnings because of that dependency.

@SymphonySimper
Copy link

SymphonySimper commented Oct 28, 2024

Would be great to update the dependency npm-packlist! I get 2 warn depreciated and 3 high vulnerabilities warnings because of that dependency.

+1

@bluwy
Copy link
Owner Author

bluwy commented Oct 28, 2024

Perhaps it makes sense to cut a breaking minor for now to resolve this. I haven't got the time to do a better overhaul.

@bluwy bluwy added enhancement New feature or request and removed future enhancement New feature or request but maybe for the future labels Oct 28, 2024
@bluwy
Copy link
Owner Author

bluwy commented Nov 18, 2024

I looked into bumping this today and it looks like it also requires @npmcli/arborist to be used along-side, and unfortunately it's extremely large. 162 dependencies and 13.5MB total install size.

This is a dealbreaker for me, so I'll hold off bumping it for now and await the proper solution proposed at #11 (comment)

I get 2 warn depreciated and 3 high vulnerabilities warnings because of that dependency.

I only got deprecated warnings. No vulnerability warnings on my end:

bjorn@Bjorns-MacBook-Pro publint-vul % npm i publint
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported

added 17 packages in 2s

2 packages are looking for funding
  run `npm fund` for details
bjorn@Bjorns-MacBook-Pro publint-vul % npm audit
found 0 vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants