Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies for binding_typescript_wasm #23

Closed
marco-ippolito opened this issue Jul 31, 2024 · 7 comments
Closed

Dependencies for binding_typescript_wasm #23

marco-ippolito opened this issue Jul 31, 2024 · 7 comments

Comments

@marco-ippolito
Copy link
Member

marco-ippolito commented Jul 31, 2024
edited
Loading

I'm not a rust expert but as I understand, the dependencies of binding_typescript_wasm during the build process, will be downloaded @kdy1 right?
Would it be possible to read from the crates on the fs and make other crates version pinned?
We want to achieve wasm build reproducibility

[package]
authors     = ["강동윤 <kdy1997.dev@gmail.com>"]
description = "wasm module for swc"
edition     = "2021"
license     = "Apache-2.0"
name        = "binding_typescript_wasm"
publish     = false
repository  = "https://github.com/swc-project/swc.git"
version     = "1.7.2"

[lib]
bench      = false
crate-type = ["cdylib"]

[features]

[dependencies]
anyhow               = { workspace = true }
getrandom            = { workspace = true, features = ["js"] }
serde                = { workspace = true, features = ["derive"] }
serde-wasm-bindgen   = { workspace = true }
serde_json           = { workspace = true }
swc_common           = { workspace = true }
swc_error_reporters  = { workspace = true }
swc_fast_ts_strip    = { workspace = true, features = ["wasm-bindgen"] }
tracing              = { workspace = true, features = ["max_level_off"] }
wasm-bindgen         = { workspace = true, features = ["enable-interning"] }
wasm-bindgen-futures = { workspace = true }
@ChALkeR ChALkeR mentioned this issue Jul 31, 2024
Closed
@kdy1
Copy link
Member

kdy1 commented Jul 31, 2024

Yeap, those dependencies will be downloaded from the crates.io
If you commit Cargo.lock, you will be able to rebuild it even after several years, but if you want to vendor all dependencies, take a look at cargo vendor from the rust official book.
https://doc.rust-lang.org/cargo/commands/cargo-vendor.html

@marco-ippolito
Copy link
Member Author

@ChALkeR committing lockfile might be enough wdyt?

@ChALkeR
Copy link
Member

ChALkeR commented Jul 31, 2024

@marco-ippolito if that will be stable/will fail on mismatches (I can recheck after it's commited), then it should be fine!

@ChALkeR
Copy link
Member

ChALkeR commented Jul 31, 2024
edited
Loading

I wonder how large would cargo vendor woud be though? If less than the current size than why not?
Then the build can be even performed in a network-less env I assume?

@marco-ippolito
Copy link
Member Author

I think its fine if we dont vendor all dependencies as long as we keep track on the lock file, and maybe setup a scanner for cve associated?

@marco-ippolito
Copy link
Member Author

@ChALkeR cargo.lock was actually present https://github.com/nodejs/amaro/blob/main/deps/swc/Cargo.lock 😐

@marco-ippolito
Copy link
Member Author

now the crates are installed with the --locked flag, should guarantee that the downloaded version is always the same

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ChALkeR @kdy1 @marco-ippolito