Skip to content

Fix peer dependency warnings #4974

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Nov 26, 2024
Merged

Fix peer dependency warnings #4974

merged 8 commits into from
Nov 26, 2024

Conversation

mcmire
Copy link
Contributor

@mcmire mcmire commented Nov 25, 2024
edited
Loading

Explanation

When running yarn install, several packages generate peer dependency warnings.

  • @lavamoat/preinstall-always-fail is now a peer dependency of @lavamoat/allow-scripts, so we need to add it as a new dev dependency.
  • For the other packages — @babel/runtime, @metamask/providers, webextension-polyfill — we really expect the client to have these dependencies, so we also add them as dev and peer dependencies instead of dependencies. We have to do this because they will not get forwarded along.

References

Fixes #4906.

Changelog

Changes are documented in changelogs.

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've highlighted breaking changes using the "BREAKING" category above as appropriate
  • I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes

@mcmire mcmire force-pushed the fix-peer-dep-warnings branch from 790b3ee to 4e93fdb Compare November 25, 2024 18:29
@socket-security Socket Security
Copy link

socket-security bot commented Nov 25, 2024
edited
Loading

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@lavamoat/preinstall-always-fail@2.1.0 None 0 3.53 kB lmbot

View full report↗︎

@socket-security Socket Security
Copy link

socket-security bot commented Nov 25, 2024
edited
Loading

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: npm/@lavamoat/preinstall-always-fail@2.1.0

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

@mcmire mcmire force-pushed the fix-peer-dep-warnings branch from 4e93fdb to ae6262a Compare November 25, 2024 18:30
@mcmire
Copy link
Contributor Author

mcmire commented Nov 25, 2024

@SocketSecurity ignore npm/@lavamoat/preinstall-always-fail@2.1.0

New author is OK.

Install script is expected.

@mcmire mcmire marked this pull request as ready for review November 25, 2024 18:31
@mcmire mcmire requested review from a team as code owners November 25, 2024 18:31
@mcmire mcmire self-assigned this Nov 25, 2024
@mcmire mcmire force-pushed the fix-peer-dep-warnings branch from ae6262a to 8e58c0d Compare November 25, 2024 19:21
@mcmire
Fix peer dependency warnings
e275e3b 
When running `yarn install`, several packages generate peer dependency
warnings. `@lavamoat/preinstall-always-fail` is now a peer dependency of
`@lavamoat/allow-scripts`, so that makes sense, but for the other
packages (`@babel/runtime`, `@metamask/providers`,
`webextension-polyfill`), we really all of these packages to present as
dependencies of the _client_, so they just need to be added as dev
dependencies here.
@mcmire mcmire force-pushed the fix-peer-dep-warnings branch from 8e58c0d to e275e3b Compare November 25, 2024 19:23
Gudahtt
Gudahtt reviewed Nov 26, 2024
View reviewed changes
Gudahtt
Gudahtt requested changes Nov 26, 2024
View reviewed changes
Copy link
Member

@Gudahtt Gudahtt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly looks good! Just the babel/runtime peer dependency removal that requires adjustment, I can approve once that change is undone.

Hopefully we can get rid of some of these peer dependencies from our dependencies soon, they seem largely unhelpful

@mcmire
Copy link
Contributor Author

mcmire commented Nov 26, 2024

@Gudahtt Just pushed up a commit: 52a8357. Do the changes there make sense? If so I can apply them to the other controllers.

@Gudahtt
Copy link
Member

Gudahtt commented Nov 26, 2024

Looks reasonable to me!

mcmire
mcmire commented Nov 26, 2024
View reviewed changes
packages/assets-controllers/package.json
@@ -74,6 +74,7 @@
"uuid": "^8.3.2"
},
"devDependencies": {
"@babel/runtime": "^7.23.9",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not added to peerDependencies because @metamask/ethjs-provider-http, which requires it, is in devDependencies.

packages/accounts-controller/package.json
"@metamask/snaps-controllers": "^9.7.0"
"@metamask/providers": "^18.1.0",
"@metamask/snaps-controllers": "^9.7.0",
"webextension-polyfill": "^0.10.0 || ^0.11.0 || ^0.12.0"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have copied the ranges for these peer dependencies from the packages that require them instead of using new ranges.

Gudahtt
Gudahtt approved these changes Nov 26, 2024
View reviewed changes
Copy link
Member

@Gudahtt Gudahtt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@mcmire mcmire merged commit 54bc0f4 into main Nov 26, 2024
120 checks passed
@mcmire mcmire deleted the fix-peer-dep-warnings branch November 26, 2024 22:10
@mcmire mcmire mentioned this pull request Dec 11, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gudahtt Gudahtt Gudahtt approved these changes

Assignees

@mcmire mcmire

Labels
team-wallet-framework
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Resolve peer dependency warnings in core
2 participants
@mcmire @Gudahtt