Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

All Gemfile.lock dependencies are treated as 'runtime' #431

Open
havocp opened this issue Sep 20, 2018 · 3 comments
Open

All Gemfile.lock dependencies are treated as 'runtime' #431

havocp opened this issue Sep 20, 2018 · 3 comments

Comments

@havocp
Copy link
Contributor

havocp commented Sep 20, 2018

https://github.com/librariesio/bibliothecary/blob/master/lib/bibliothecary/parsers/rubygems.rb#L38

How could we do better here?

@deivid-rodriguez
Copy link

So the rule in the rubygems/ruby world, in the case of libraries, would be:

  • Everything in the Gemfile/Gemfile.lock file is a development dependency, because the Gemfile is never evaluated at runtime.

  • In the gemspec, add_development_dependency is used for development dependencies, and add_runtime_dependency for runtime dependencies.

But this is only for libraries, for final application it's a whole different thing.

@havocp
Copy link
Contributor Author

havocp commented Sep 20, 2018

That sounds like we might need a configuration option of some kind to set the type to assign to gemfile deps... or maybe the "type" we assign to Gemfile packages by default shouldn't be dev vs. runtime at all but more something noncommittal like "gemfile" or "unknown", and then it can be configured? Or possibly a default like runtime is more useful, as long as it can be corrected via config for libraries.

@deivid-rodriguez
Copy link

If this library is used also for final applications, the I'd say you need to detect whether you're analyzing a library or an application, and then act accordingly. If this library is only be meant to be used by libraries, then would anyhing break if you assign "development" instead of "runtime" to all dependencies coming from the Gemfile?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants