-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cliDependencies and npm dependency #716
Comments
I introduced this because I noticed that a few people felt the need to fork protobuf.js without the cli to avoid the additional dependencies. The cleanest solution would be a -cli package probably. |
I'd be happy to open a PR to make that happen - not sure how I would open a PR for the new CLI package though, do you want to create an empty repo for it in your name? |
I'd probably just include it here similar to the packages in |
Just hit this in CockroachDB - one of these dependencies moved and broke our CI. This is a seriously bad practice - @joscha are you still working on a solution? |
Yep, looks like jsdoc 3.5.0 changed something which causes the way it is being called from https://github.com/dcodeIO/protobuf.js/blob/6.8.0/cli/pbts.js, which causes randomly truncated output. My bet is that there's an error popping out somewhere and not being handled. |
@tamird Not working on a solution, sorry, as far as I remember, there were a few commits made in that direction however. |
We're hitting this too. Perhaps I'm doing something unusual, but the cli's use of @joscha the |
@dcodeIO what are the tasks remaining to complete this? I'd be happy to work on this. Currently I'm carrying around a few hacks in my build process to prevent the cli tool from installing npms at run time. |
Ping. Is there anything happening here? Fixing this issue seems like it should be pretty high priority, since shadow invoking NPM is such a dark pattern. |
hey @dcodeIO, thanks for creating protobuf.js. Is there anything we can do to help get this CLI package over the line? |
Hi there! any solution for this issue? It seems to have been open for a long time. We are experiencing the same problem on a monorepo with yarn workspaces and lerna. Due to concurrency, sometimes installing those dependencies using npm during the cli invocation causes very bad things to happen. As someone mentioned, I think this is a very bad practice. These hidden dependencies are highly suspicious to any auditor and are undoubtedly the source of many problems. |
On my team, we worked around by using https://github.com/ds300/patch-package to remove the calls to |
But it was a big moment! |
Our build broke because |
systems happy related to protobufjs/protobuf.js#716
protobuf.js version: 6.6.5
When using the CLI version of protobuf.js, some additional dependencies are installed (they are defined without versions in
cliDependencies
of thepackage.json
.There are a few issues with this approach that I hope we can find a solution for:
yarn
, meaning that whereverpbjs
was installed into does not havenpm
available on CI.yarn.lock
ornpm-shrinkwrap.json
, meaning that the installation can 1) not be cached easily 2) not be reproduced easily 3) yarn will blow away any installed packages not part of the lock file any timeyarn install
is run 4)npm shrinkwrap
will wet itself because there are additional packages installed.A couple solutions come to mind:
dependencies
- after all they are used at runtimeprotobuf.js-cli
package that has a dependency on theprotobuf.js
package and on all the CLI dependencies. That way this package could be lightweight for the people that are not interested in the CLI.What do you think?
The text was updated successfully, but these errors were encountered: