-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Special treatment for package.json resolution and exports? #33460
Comments
cc @nodejs/modules-active-members |
To me this seems like a great solution. Having the package metadata is an awesome ergonomic feature of the current setup, and having module authors explicitly have to opt in would be a huge burden across the community. To me it seems like we would need a concrete reason not to have this exception. Can anyone think of a reason to make this case? |
@wesleytodd I think it just comes down to what is public/private still. People putting public data into a a However, I'm unclear on the privacy model here since the benefit seems largely to be around bundlers which wouldn't run with the same constraints since they are ahead of time tools and general thought to access things in a more permissive manner than 2 independent modules with mutual distrust. It seems the problem is in part that these tools are using APIs that make them act as the same level of trust as any other module and other packages when they upgrade are removing permissions to view the package.json data (even if by accident). I think the concrete discussion here is if people should have to opt-out of package.json to avoid an accident prone workflow which is the inverse of all other resources in the package. A different option since there is a specific use case that seems to need this is to have a flag of some kind for these ahead of time tools. Either to |
My main concern with exposing it via exports is that there’s two options:
The first option would force every package to treat its metadata file as a public API. Some users eslint config reuses what I put into my package.json#eslint section? Well, it’s exported so how can I blame them. The second option means that tools may not actually get the metadata when they think they’re loading the metadata. It could be argued that it only affects “weird” packages but given a sufficiently large number of users that know about this “trick”, I can totally see people use it. I think bundlers shouldn’t use require (“load code for this environment”) to load metadata. So I’d rather have a new API to load the package.json that belongs to a specifier/referrer combination, exposing logic we already have in the loader. That API could be used by bundlers etc to cleanly get the metadata without having to hijack require. |
I think the primary issue is that there's no way besides |
Here's the recommended way to do this with ES modules: import { readFileSync } from 'fs';
(async () => {
const pkgPath = await import.meta.resolve('pkg/')
console.log(pkgPath);
console.log(readFileSync(new URL('package.json', pkgPath)).toString());
})(); The above also simplifies with TLA of course. Currently the above only executes with @nodejs/modules-active-members I think we should discuss unflagging this feature. |
I also want to clarify that the problems I have seen in the wild were always just about |
@guybedford |
@ljharb no, the trailing |
@guybedford iow, |
@ljharb yes, because trailing slashes in CommonJS still apply extension searching, which the ESM resolver does not, which is a fundamental difference between the module systems. |
This is a not a concern. Using exports to hide secrets is not ever a reasonable solution anyway.
This is what I was thinking as well. Seems perfectly reasonable to enforce this constraint.
It already is. This is not a change in the ecosystem as it is today. Every file is part of the public api, and needs to be treated as such. If projects choose not to strictly follow semver, that is a different issue.
We can also use hacks around
I have seen this many places. Although I am not going to spend the time now collecting references since I don't think this should be the primary focus of the discussion, if it become a key point I am happy to dig for them. |
I think allowing censorship is necessarily good and wouldn't feel comfortable with |
Making it more complicated for everyone seems to strongly outweigh this. I know the point of
Do you have examples of this type of workflow? The app developer use case is not what I was considering at first, so maybe there is some common practice I have not seen like this. If so we would not want to break it. That said, I feel like the current state before |
I'm confused about why this is a concern; if you put secrets in a place on the filesystem that the node user can access, your secrets are already exposed. |
I think the problem is more about making the The goal of exports is to fully encapsulate the public API of a package in a way that allows sound analysis of execution, optimization, breaks etc etc. Exposing the There are many ways to access the package.json otherwise - you are not stopped from doing it, it just takes a little more code. Updating Also note that this mostly applies far more to frameworks than libraries. Frameworks can at least take the effort to understand the problem here and fix the root cause I'd hope. |
I think the goal would be to explicitly document this fact (and codify it as part of the implementation). Just call it part of the public api, always and forever, and be done with it. And to be clear, adding
Not sure I understand the distinction here. I have libraries which load |
That’s the problem - you can’t update to a readFile pattern if you can’t get the path to the file robustly, in CJS. That’s not possible right now for a package with exports, that doesn’t include package.json, and whose dot/main either is set to false or points to a subdir. |
This focus around That this is not longer possible if there is a pkg.exports seems like a very critical degredation of what I as a consumer of modules would hope & desire. If package.json exports do export something, fine, I'll take that, but I should continue to be able to require/import files that a package distributes. Including package.json. I beg node to please adjust course & not hide the file system the moment an author declares a package.json |
That’s the entire purpose of “exports”, and it’s a highly desired one - that’s not something that we’re discussing here. |
well where do we discuss it jordan, because it's a bad choice & confusing for everyone? there should be room to fallback into actual real resources if not defined in this new abstract package.json system node invented for itself. i don't see why we shouldn't have both. it would solve this issue. it would allow people who have for a decade now required()'d resources continue to do so when their package authors miss this or that resource. i think the package consumers deserve more than they are getting with this "highly desired" system. |
@rektide the full resources are still available at If the problem is how to resolve the package path without having a suitable subpath, this is what the trailing slash was designed to allow in the example provided at #33460 (comment). If you don't like change, don't adopt exports. |
@ctavan you make a good point in #33460 (comment). Perhaps one option could be to treat I would not want such a path implemented for |
Anything |
Having it just for |
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
To ensure that `package.json` is qccessible, it has to be exported. See nodejs/node#33460 For the same reason, we now export TypeScript types.
I'm not sure what the use-case is (if it exists) for restricting access to That said, to avoid breaking things, it would be helpful for tooling authors if Node.js would expose an API like: // node:util
getPackageJson(resolvable: string | URL): Promise<unknown>;
getPackageJsonSync(resolvable: string | URL): unknown; ...which would fulfill with the contents of the "closest" (sibling or ancestor) A simpler and easier-to-implement API would expect a resolvable package name or path/URL to package directory, and resolve with the contents of its Should probably throw/reject if the operation fails. Right now, adding |
Yes, a new API could work. Up above I suggested |
// Nodejs v22.6.0
import.meta.resolve('@babel/runtime/')
// Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Package subpath './' is not defined by "exports" in /Users/.../node_modules/@babel/runtime/package.json imported from ... 🥲 |
@GeoffreyBooth Should we open a new issue for adding |
📗 API Reference Docs Problem
Location
Section of the site where the content exists
Affected URL(s):
Problem description
Concise explanation of what you found to be problematic
With the introduction of
pkg.exports
a module only exports the paths explicitly listed inpkg.exports
, any other path can no longer be required. Let's have a look at an example:Node 12.16.3:
Node 14.2.0:
So far, so good. The docs describe this behavior (although not super prominently):
While this meets the expectations set out by the docs I stumbled upon
package.json
no longer being exported:For whatever reason I wasn't assuming the documented rules to apply to
package.json
itself since I considered it package metadata, not package entrypoints whose visibility a package author would be able to control.This new behavior creates a couple of issues with tools/bundlers that rely on meta information from
package.json
.package.json
have to add thepackage.json
to thepkg.exports
field.package.json
gracefully, since it might very well be the fact that a given package doesn't need to export any bundler meta information (and otherwise almost all packages on npm that could ever be used in a react-native project would have to addpackage.json
to their exports).package.json
exports gracefully, I see the risk that many modules that currently rely on theirpackage.json
simply being externally consumable without additional effort might suddenly behave in odd ways when the meta information frompackage.json
is no longer readable by bundlers (and no error is thrown).Examples where this issue already surfaced:
exports
package.json field sveltejs/rollup-plugin-svelte#104Now the question is how to move forward with this?
package.json
can no longer be resolved unless added toexports
. EDIT: Already done in 1ffd182 / Node.js v14.3.0package.json
and always export it.I had some discussion on slack with @ljharb and @wesleytodd but we didn't come to an ultimate conclusion yet 🤷♂️ .
The text was updated successfully, but these errors were encountered: