Unlocked or Managed Package as a 2GP Managed Package Dependency

[nathanvoller]

Hi @jongpie and @jamessimone

I'm interested in using Nebula Logger in a 2GP managed package I'm developing and have been researching whether to use the unlocked package or the managed package. I've come across this discussion but there was no conclusion on which route to take and I'm not sure if anything has changed since as it's almost 2 years old now.

This article from Salesforce suggests that a 2GP package dependency is not recommended to be an unlocked package. So I think that I have to use the managed package and deal with the limitations?

Do you know whether there are any downstream effects on the logging functionality of using Nebula Logger as a managed package from within my managed package? For example, could I get a stack trace successfully? Or perhaps I should go against the recommendation and install it as an unlocked package but this seems risky if my managed package were to depend on something from Nebula Logger that is later removed/updated?

Keen to hear your thoughts on this.

Many thanks,
Nathan

[jongpie]

Hi @nathanvoller - that's awesome to hear that you're interested in using Nebula Logger for your own package! Since you'll be creating your own 2GP managed package, there are a couple options

1. You can't use Nebula Logger's unlocked package as a dependency, because the unlocked package does not have a namespace. Any namespaced package (either a managed package or an unlocked package with namespace) can only depend on other packages with a namespace. If you tried to use Nebula Logger's unlocked package as a dependency, I think you'd get an error when trying to create a new package version.
2. You can definitely use the managed package as a dependency, but...
   • You still won't be able to get a stacktrace for your namespace. I believe that any AppExchange package that has gone through security review cannot get a stacktrace in Apex, it will always return (your_namespace), so it's a platform limitation.
   • Nebula Logger is not listed on AppExchange, and has not gone through AppExchange's formal security review. This could cause some complications for you during your own security review. I think you'd still be able to make this approach work, but it might just be a bit more complicated since you'd be depending on a separate package.
3. You can include Nebula Logger's metadata within your managed package (instead of depending on either of Nebula Logger's packages). I know of 1 or 2 other managed packages that have taken this approach, and it sounds like it's worked out well for them.
   • The upside with this approach is that your package is completely self-contained - your customers won't need to first install Nebula Logger before installing your package, your package will have all of the metadata needed.
   • The downside with this approach is that it increases the metadata in your package (you'd have all of your own metadata + Nebula Logger's metadata), and you'll have to handle upgrading Nebula Logger's metadata as part of your package. You would also be prevented from moving Nebula Logger's metadata, unless you first request via the Partner Community to enable that functionality in your dev hub (see Spring '22 release notes - https://help.salesforce.com/s/articleView?id=release-notes.rn_sfdx_packaging_remove_components.htm&release=236&type=5)

There are definitely tradeoffs with each approach - let me know what you think, I'm happy to chat about this further if you'd like.