Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(npm): include the proper files in the npm tarball #594

Merged
merged 3 commits into from
Apr 9, 2024
Merged

fix(npm): include the proper files in the npm tarball #594

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
137097b
fix: set proper files to include in the npm tarball
favna Apr 6, 2024
9037521
ci: add job that checks npm tarball content
favna Apr 8, 2024
a21d221
fix(release): update the release script to run yarn install after bum…
favna Apr 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,7 @@ jobs:
yarn install
yarn build
cp ../../README.md .
cp ../../CHANGELOG.md .
if [ ${{ contains(github.ref, '-') }} = "true" ]; then
yarn npm publish --tag rc
else
Expand Down
42 changes: 42 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,3 +152,45 @@ jobs:
printf "Checking MSRV for $package..."
cargo msrv --output-format json --path "$package" verify | tail -n 1 | jq --exit-status '.success'
done

tarball:
name: Check NodeJS tarball
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install node
uses: actions/setup-node@v4
with:
node-version: 18
registry-url: "https://registry.npmjs.org"
- name: Validate the files in the tarball
shell: bash
working-directory: npm/git-cliff
run: |
yarn install
yarn build
cp ../../README.md .
cp ../../CHANGELOG.md .

files_expected_in_tarball=(
"CHANGELOG.md"
"README.md"
"lib/cjs/index.cjs"
"lib/cjs/index.cjs.map"
"lib/cjs/index.d.cts"
"lib/cli/cli.js"
"lib/esm/index.d.ts"
"lib/esm/index.js"
"lib/esm/index.js.map"
"package.json"
)

tarball_output=$(yarn pack --dry-run)

for file in "${files_expected_in_tarball[@]}"; do
if [[ ! "$tarball_output" == *"$file"* ]]; then
echo "Error: Expected file '$file' not found in tarball."
exit 1
fi
done
3 changes: 3 additions & 0 deletions npm/git-cliff/package.json
View file
Open in desktop
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To clarify, what this essentially says is "include only the files in lib, and include everything in there". This ensures that the JavaScript files are also included. Yarn (and npm too for that matter) automatically include the package.json and README.md when found, so need to specify them.

Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@
}
}
},
"files": [
"lib"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you include the source Typescript files as well?

Copy link
Contributor Author

@favna favna Apr 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is absolutely no reason to do so. Types are provided through the output .d.ts files and node, bun and deno all will never even load the source typescript files. In fact, Node cannot even load the source typescript files.

Copy link
Contributor Author

@favna favna Apr 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also due to the export mapping (a few lines above this) the files in src won't even be accessible. Node will just say they're not exported. The only way to read them would with a manual readFile call.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, my build system Parcel is capable of using the source files directly. I also prefer untransformed source code that is on GitHub. Given what has been going on with the xz distribution, you should consider this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any relationship to what happened to xz. It's also not "going on", it's already resolved. Please show me the documentation where parcel says they use the source files. I've used parcel before and it doesn't. Please also explain what your exact use case is that you use parcel to not only consume the git-cliff npm package but also parcel bundle it. Parcel is for bundling webapps after all.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not well versed in these topics so I cannot comment. But I would appreciate a ELI5 summary 😊

Copy link
Contributor Author

@favna favna Apr 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure!

@aminya wants me to include the TypeScript files from src in the tarball. This is something that no library ever does. Search the favourite big-name packages written in TypeScript on https://yarnpkg.com as they have a file viewer for what's in the tarball, and you'll see that none of them include the source TypeScript files. This is because runtimes and bundlers will never access them. This is despite what @aminya says about Parcel, as described by my previous comment. Even if Parcel would access those files, it would be the only bundler to do so and it's far from the most popular bundler (npmtrends). Ultimately, including the source TypeScript files is unnecessary bloat and increasing filesize for no actual gain.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optimizing the package size seems unnecessary, and the fact that the popular packages do not provide source files just reveals the wide attack surface in open source.

The question remains though. How can I make sure the JavaScript files in the dist are exactly derived from the source TypeScript files in the repository? Do you have a byte-for-byte reproducible build and release process?

Copy link
Contributor Author

@favna favna Apr 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optimizing the package size seems unnecessary.

This is indeed crucial as it has a direct impact on the download size, and it's important to note that not all users have access to high-speed internet. Moreover, since this also includes a programmatic API, it is not solely installed as a global dependency and it would thus also affect other packages that implement git-cliff, my own favware/cliff-jumper among them. This package is the main reason why I even started contributing to git-cliff in the first place. Furthermore, Yarn Berry (a.k.a. Yarn version 2 and higher) has ceased to support global dependencies.

How can I make sure the JavaScript files in the dist are exactly derived from the source TypeScript files in the repository? Do you have a byte-for-byte reproducible build and release process?

I understand your concerns. Indeed, you are technically correct. However, it is important to trust the open source community. The recent exploit in one library does not necessarily warrant an Nth degree heightened level of scrutiny. If the issue and my subsequent PR had occurred a few weeks ago, prior to the xz incident, it likely would not have attracted this level of attention.

It is not practical to compare the source TS files with the compiled JS files in your node_modules folder for every package. If we were to do this for every package, the process would be extremely time-consuming. Have you considered the number of files in your node_modules folder or the number of transitive dependencies you’re pulling in? This package alone installs a total of 18 packages that would all require analysis.

It is crucial to maintain a balanced perspective and not overreact to individual incidents. We should continue to support and have faith in the open source community.

To further illustrate the complexity of your proposal, I have attached the tarball that would be published after this PR. Please note that it is zipped because GitHub does not support the upload of .tgz files. You can find it here: git-cliff.zip

Additionally, consider another repository that includes a significant higher amount of code, another project I maintain: sapphiredev/framework. The package can be found here: package.zip

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the detailed summary and your thoughts! I agree that we should still have faith in the open source community. I don't have a strong preference between including/not including the TS files due to the fact that it's an whole another ecosystem that I'm not a part of. I can still very clearly see @aminya's concerns, but I'd say we can discuss this elsewhere for the sake of not blocking this PR.

I'm happy to include the TS files if there are strong arguments with practical and proven reproducibility along with a PR.

],
"scripts": {
"typecheck": "tsc",
"lint": "eslint .",
Expand Down
48 changes: 24 additions & 24 deletions npm/git-cliff/yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1371,44 +1371,44 @@ __metadata:
languageName: node
linkType: hard

"git-cliff-darwin-arm64@npm:2.1.0-rc.0":
version: 2.1.0-rc.0
resolution: "git-cliff-darwin-arm64@npm:2.1.0-rc.0"
"git-cliff-darwin-arm64@npm:2.2.0":
version: 2.2.0
resolution: "git-cliff-darwin-arm64@npm:2.2.0"
conditions: os=darwin & cpu=arm64
languageName: node
linkType: hard

"git-cliff-darwin-x64@npm:2.1.0-rc.0":
version: 2.1.0-rc.0
resolution: "git-cliff-darwin-x64@npm:2.1.0-rc.0"
"git-cliff-darwin-x64@npm:2.2.0":
version: 2.2.0
resolution: "git-cliff-darwin-x64@npm:2.2.0"
conditions: os=darwin & cpu=x64
languageName: node
linkType: hard

"git-cliff-linux-arm64@npm:2.1.0-rc.0":
version: 2.1.0-rc.0
resolution: "git-cliff-linux-arm64@npm:2.1.0-rc.0"
"git-cliff-linux-arm64@npm:2.2.0":
version: 2.2.0
resolution: "git-cliff-linux-arm64@npm:2.2.0"
conditions: os=linux & cpu=arm64
languageName: node
linkType: hard

"git-cliff-linux-x64@npm:2.1.0-rc.0":
version: 2.1.0-rc.0
resolution: "git-cliff-linux-x64@npm:2.1.0-rc.0"
"git-cliff-linux-x64@npm:2.2.0":
version: 2.2.0
resolution: "git-cliff-linux-x64@npm:2.2.0"
conditions: os=linux & cpu=x64
languageName: node
linkType: hard

"git-cliff-windows-arm64@npm:2.1.0-rc.0":
version: 2.1.0-rc.0
resolution: "git-cliff-windows-arm64@npm:2.1.0-rc.0"
"git-cliff-windows-arm64@npm:2.2.0":
version: 2.2.0
resolution: "git-cliff-windows-arm64@npm:2.2.0"
conditions: os=win32 & cpu=arm64
languageName: node
linkType: hard

"git-cliff-windows-x64@npm:2.1.0-rc.0":
version: 2.1.0-rc.0
resolution: "git-cliff-windows-x64@npm:2.1.0-rc.0"
"git-cliff-windows-x64@npm:2.2.0":
version: 2.2.0
resolution: "git-cliff-windows-x64@npm:2.2.0"
conditions: os=win32 & cpu=x64
languageName: node
linkType: hard
Expand All @@ -1422,12 +1422,12 @@ __metadata:
"@typescript-eslint/parser": "npm:^7.1.0"
eslint: "npm:^8.57.0"
execa: "npm:^8.0.1"
git-cliff-darwin-arm64: "npm:2.1.0-rc.0"
git-cliff-darwin-x64: "npm:2.1.0-rc.0"
git-cliff-linux-arm64: "npm:2.1.0-rc.0"
git-cliff-linux-x64: "npm:2.1.0-rc.0"
git-cliff-windows-arm64: "npm:2.1.0-rc.0"
git-cliff-windows-x64: "npm:2.1.0-rc.0"
git-cliff-darwin-arm64: "npm:2.2.0"
git-cliff-darwin-x64: "npm:2.2.0"
git-cliff-linux-arm64: "npm:2.2.0"
git-cliff-linux-x64: "npm:2.2.0"
git-cliff-windows-arm64: "npm:2.2.0"
git-cliff-windows-x64: "npm:2.2.0"
favna marked this conversation as resolved.
Show resolved Hide resolved
tsup: "npm:^8.0.2"
typescript: "npm:^5.3.3"
dependenciesMeta:
Expand Down
1 change: 1 addition & 0 deletions release.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ msg="# managed by release.sh"
sed -E -i "s/^version = .* $msg$/version = \"${1#v}\" $msg/" git-cliff*/Cargo.toml
sed -E -i "s/\"version\": \".+\"/\"version\": \"${1#v}\"/" npm/git-cliff/package.json
sed -E -i "s/\"(git-cliff-.+)\": \".+\"/\"\1\": \"${1#v}\"/g" npm/git-cliff/package.json
pushd npm/git-cliff && yarn install && popd
# update the changelog
cargo run -- --config cliff.toml --tag "$1" >CHANGELOG.md
git add -A && git commit -m "chore(release): prepare for $1"
Expand Down
Loading