-
Notifications
You must be signed in to change notification settings - Fork 230
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A way to restrict the allowed hosts for dependencies. #4328
Comments
Dependencies from workspace-only is likely a niche use case. When doing things like this you are effectively saying that you don't want to use the version resolution logic that pub provides. We could certainly add things to The I think a feature like
I think that once we have SLSA support on pub.dev we should spend time designing a set of policies to be enforced on dependencies. I guess workspace feature is a good mechanism for enforcing such policies across a mono-repository. TL;DR: Some sort of policy enforcement on dependencies would be cool, but maybe we shouldn't design it until we have SLSA. In the meantime people can enforce policies with a test case. One could also imagine something like |
To be clear, the main surprise was that it silently works and doesn't even show up in the |
I think we just want a failure at |
I do actually think that for larger companies this might not be a niche use case. It is probably not all that uncommon to want to have some higher level control over exactly what dependencies are allowed, where they come from, and exactly what version a project is on. |
I like the idea of being able to restrict dependencies to a number of select hosts.
and for the flutter engine you would provide an empty list:
Maybe jonas is right and we should also allow for specifying allowed publishers, salsa levels etc. But I think these are somewhat orthogonal, and could be added separately later... |
Context:
flutter/engine
prohibits dependencies from pub, requiring all packages to come fromgclient sync
(i.e. our Chromium version of git submodules), so we go out of our way to make sure that, given a repoxyz
, packagexyx/packages/foo
doesn't start depending on say,package:archive
without adding it toxyz/DEPS
.In flutter/engine#53539 (comment), @zanderso asked:
It looks like the answer was surprisingly yes:
And then later, in
tools/engine_tool/pubspec.yaml
:I expected this to fail, or warn, or do something. Here is the result of
dart pub get
:Note that
archive
is omitted, and not mentioned. However, if I look at the root.dart_tool/package_config.json
:... and I can indeed import and use
package:archive
inengine_tool
. This is not a blocker for us as we have that custom script that checks that packages aren't resolved to pub, but it was surprising and silent behavior - I'd love to see some mechanism to get "protection" or at least notice that this is happening.Possible suggestions for improvement:
package:archive
comes up indart pub get
and similar, perhaps with a(not from workspace)
moniker?workspace_options: { "dependency_sources": "workspace_only" }
pub_workspace_single_source_of_dependencies
that can be opted-in to/cc @kevmoo @jtmcdole
The text was updated successfully, but these errors were encountered: