-
-
Notifications
You must be signed in to change notification settings - Fork 593
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(node-resolve): remove deep-freeze and deepmerge from dependencies #529
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternative to adding a copy/convenience method to our code would be to reach out to substack to see if a more pleasing license could be applied.
deepmerge
is a guard and unfortunately I won't approve removing that.
packages/node-resolve/src/index.js
Outdated
const defaults = { | ||
customResolveOptions: {}, | ||
dedupe: [], | ||
const defaults = Object.freeze({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather see a simple convenience method (const deepFreeze = () =>
) in here to take the place of the removed dep on line 30, rather than a buncha calls to Object.freeze
that we'd have to remember to add to anything new to defaults
. A depth of 4 seems like it would be sufficient. The code is rather simple.
Isn't it much easier to just duplicate defaults definition twice than adding a bunch of packages for very doubtful use case (laziness)? |
I was actually considering copy and pasting the defaults. @shellscape, what do you think? |
man, I really take exception to that language. @alan-agius4 I'd ask that you follow the guidance offered in my review |
By laziness I mean initial issue with adding ts extensions. It's really the only use case and requires two dependencies though it's not a big deal to list all necessary extensions in user config. |
9076f9e
to
c467634
Compare
Sorry guys, not backing down from that. |
@shellscape, I added the deep freeze implementation. |
DeepFreeze package seems to be unmaintained. They do have a PR (https://github.com/substack/deep-freeze/pull/20 ) to change the license type but is staled. |
Can you explain what do you mean by deepmerge being a guard? |
Dude, please use the edit feature rather than three consecutive replies. No one likes their notifications to go bananas. It's a guard to prevent mutating the exported defaults. Because this is compiled down to CJS, defaults could inadvertently be overwritten, causing program failure. Providing what is essentially a deep That code was put in place precisely because someone did exactly what is described above and encountered errors. Please assume that we're not sitting around coming up with ways to be difficult. If a maintainer says it's a hard block and they aren't backing down, you can safely assume there's a good reason. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
blocked until deepMerge
implementation is reinstated
@shellscape, apologies for the extra notifications. I believe that If it makes you happy and we can merge this PR I can add back deepmerge, but again it seem redundant to me considering you are freezing the object itself and all of it’s sub properties. |
`deep-freeze` is licensed as Public Domain, which might be problematic for some 3rd parties such as the Angular CLI. In Angular CLI we have a license validator that validates direct and transitive dependencies, and Public Domain is a problematic license becuse it falls under the "unencumbered' group which requires legal audit. More context: https://opensource.google/docs/thirdparty/licenses/#unencumbered
c467634
to
54a3a52
Compare
Unfortunately that's not true. This can be simply demonstrated. // a.js
module.exports = { defaults: Object.freeze({ batman: 'batman' }) }; → node
Welcome to Node.js v12.18.1.
Type ".help" for more information.
> require('./a').defaults
{ batman: 'batman' }
> require('./a').defaults = null
null
> require('./a').defaults
null |
@shellscape, I see what you mean now. Thanks for the explanation. But honestly if someone is doing that, they should be punished and not handle such cases. I cannot think of a genuine use case that it would be okay to that. Also possible in this case a top level Ps: deepmerge re-implemented |
Thankfully, we have empathy for users in this project. Change looks good. I'm on my phone right now and will merge when I return home. |
@alan-agius4 next time please use our Pull Request template. normally a script I run on my machine would have picked up that up and closed the PR citing the missing template. Guess you got lucky :) |
) `deep-freeze` is licensed as Public Domain, which might be problematic for some 3rd parties such as the Angular CLI. In Angular CLI we have a license validator that validates direct and transitive dependencies, and Public Domain is a problematic license becuse it falls under the "unencumbered' group which requires legal audit. More context: https://opensource.google/docs/thirdparty/licenses/#unencumbered
This 2 dependencies are currently used to deepfreeze an exported symbol. Which seems to be an wasteful to add 2 extra dependencies for something trivial.
Also
deep-freeze
is licensed as Public Domain, which might be problematic for some 3rd parties such as the Angular CLI.In Angular CLI we have a license validator that validates direct and transitive dependencies, and Public Domain is a problematic license becuse it falls under the "unencumbered' group which requires legal audit.
More context: https://opensource.google/docs/thirdparty/licenses/#unencumbered