Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Addresses #10 / Update semver to the latest to fix CVE / Remove unnecessary dependencies #11

Merged
merged 12 commits into from
Jul 4, 2023

Conversation

SukkaW
Copy link
Collaborator

@SukkaW SukkaW commented Jul 2, 2023

The PR does the following things:


eslint-plugin-i is a fork of eslint-plugin-import that replaces the tsconfig-paths with the faster and more lightweight get-tsconfig, which also addresses the following issues:

If you want to replace eslint-plugin-import with eslint-plugin-i, just run following command in your projects:

# npm
npm install -D eslint-plugin-import@npm:eslint-plugin-i@latest
# yarn
yarn add -D eslint-plugin-import@npm:eslint-plugin-i@latest
# pnpm
pnpm add -D eslint-plugin-import@npm:eslint-plugin-i@latest

@changeset-bot
Copy link

changeset-bot bot commented Jul 2, 2023

⚠️ No Changeset found

Latest commit: efb9326

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copy link

@NWYLZW NWYLZW left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job!

@codecov
Copy link

codecov bot commented Jul 2, 2023

Codecov Report

Patch coverage: 100.00% and project coverage change: -0.26 ⚠️

Comparison is base (616ac75) 95.02% compared to head (efb9326) 94.76%.

Additional details and impacted files
@@               Coverage Diff                @@
##           fork-release      #11      +/-   ##
================================================
- Coverage         95.02%   94.76%   -0.26%     
================================================
  Files                68       68              
  Lines              2977     2982       +5     
  Branches           1028     1028              
================================================
- Hits               2829     2826       -3     
- Misses              148      156       +8     
Impacted Files Coverage Δ
src/ExportMap.js 89.47% <ø> (ø)
src/core/importType.js 100.00% <ø> (ø)
src/rules/no-unused-modules.js 96.00% <ø> (-1.65%) ⬇️
resolvers/webpack/index.js 62.62% <100.00%> (ø)
src/rules/export.js 100.00% <100.00%> (ø)
src/rules/group-exports.js 100.00% <100.00%> (ø)
src/rules/no-anonymous-default-export.js 100.00% <100.00%> (ø)
src/rules/order.js 99.18% <100.00%> (+<0.01%) ⬆️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@SukkaW
Copy link
Collaborator Author

SukkaW commented Jul 2, 2023

Ops, it seems that I forgot to remove those outdated Node.js versions from the CI matrix!

@JounQin
Copy link
Member

JounQin commented Jul 2, 2023

What benefits would we get from this do you think?

@SukkaW
Copy link
Collaborator Author

SukkaW commented Jul 2, 2023

What benefits would we get from this do you think?

@so1ve
Copy link
Member

so1ve commented Jul 2, 2023

Can we drop is-core-module as well?


UPD:

Maybe we can't :(

@SukkaW
Copy link
Collaborator Author

SukkaW commented Jul 2, 2023

Can we drop is-core-module as well?

UPD:

Maybe we can't :(

@so1ve Actually maybe we can! The module.builtinModules is definitely available in Node.js 12.0.0+!

https://nodejs.org/dist/latest-v18.x/docs/api/module.html#modulebuiltinmodules

image

@JounQin
Copy link
Member

JounQin commented Jul 2, 2023

I'm not so sure for these, actually I was thinking to maintain this package separately from the upstream.

As you said, such changes make rebasing a bit complicated, if we do so it would mean we're really start "forking", but it would mean a lot of extra efforts and hurt the community I think.

But of course, I would like to listen from the community, I was trying to support the same node versions as upstream but it's also boring and "ridiculous". So I like such changes personally, but also I'm in awe of this impactful project.

Let's wait for some more feedback for a while.

Copy link

@nonzzz nonzzz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@g-plane
Copy link

g-plane commented Jul 2, 2023

Additionally, less dependencies may reduce possible supply-chain attacks.

Copy link

@pionxzh pionxzh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I support the idea of reducing unnecessary dependencies.

@bakkot
Copy link

bakkot commented Jul 2, 2023

You can replace has with {}.hasOwnProperty.call, also.

@SukkaW
Copy link
Collaborator Author

SukkaW commented Jul 3, 2023

@JounQin

Although ljharb hasn't been actively maintaining eslint-plugin-import for literally months while he is basically held that open-source project as a hostage, we should still try our best to stay close to the upstream.

I have rebased the PR and minimized the affected lines to ensure that there will be least merging conflicts in the future.


Update

I also move is-core-module to devDeps (even less dependency to be installed!). I still retain the is-core-module in the tests, to make sure the behavior doesn't change.

@SukkaW SukkaW changed the title Addresses #10 Addresses #10 / Update semver to the latest to fix CVE / Remove unnecessary dependencies Jul 3, 2023
@SukkaW
Copy link
Collaborator Author

SukkaW commented Jul 3, 2023

I have bumped the semver to the latest version in the latest commit, which basically fixes all these issues and PRs:

All test cases pass on my machine, waiting for the CI.

package.json Outdated Show resolved Hide resolved
@SukkaW SukkaW requested a review from JounQin July 4, 2023 07:34
src/rules/export.js Show resolved Hide resolved
@JounQin
Copy link
Member

JounQin commented Jul 4, 2023

Thanks, lets make it happen.

@SukkaW SukkaW requested a review from JounQin July 4, 2023 09:11
@SukkaW
Copy link
Collaborator Author

SukkaW commented Jul 4, 2023

image

GitHub Action broke again.

@so1ve
Copy link
Member

so1ve commented Jul 4, 2023

Let's drop node 13 15 17 19

package.json Outdated Show resolved Hide resolved
@pionxzh
Copy link

pionxzh commented Jul 4, 2023

We also need to update the Node.js versions in appveyor config.

https://github.com/un-es/eslint-plugin-i/blob/616ac75b11731f41a3786bdbe2c7620d65df9ded/appveyor.yml#L8-L14

@so1ve
Copy link
Member

so1ve commented Jul 4, 2023

I guess we can delete that file because we don't use appveyor at all

@SukkaW
Copy link
Collaborator Author

SukkaW commented Jul 4, 2023

We also need to update the Node.js versions in appveyor config.

https://github.com/un-es/eslint-plugin-i/blob/616ac75b11731f41a3786bdbe2c7620d65df9ded/appveyor.yml#L8-L14

I guess we can delete that file because we don't use appveyor at all

I don't know. IMHO the PR has contained enough changes. @JounQin What do you think?

@JounQin
Copy link
Member

JounQin commented Jul 4, 2023

I don't know. IMHO the PR has contained enough changes. @JounQin What do you think?

It's not used, then no change is needed.

@SukkaW SukkaW requested a review from JounQin July 4, 2023 14:48
@JounQin JounQin merged commit 644d438 into un-ts:fork-release Jul 4, 2023
JounQin added a commit that referenced this pull request Jul 31, 2023
JounQin added a commit that referenced this pull request Jul 31, 2023
@JounQin JounQin mentioned this pull request Aug 15, 2023
@JounQin
Copy link
Member

JounQin commented Dec 18, 2023

For anyone may be interested, I just upgraded debug to v4 and removed unused resolve dependencies at v2.29.1. And I tried to upgrade minimatch to v9 but it fails on some cases like

import-js#2900 (comment)

and

https://github.com/import-js/eslint-plugin-import/blob/ee5fadeffff68f2300bed7f67a310496cb969d61/tests/src/rules/no-internal-modules.js

I don't have enough time to work on this replacement, anyone interested can help to raise a PR which will be appreciated.


For import-js#2900 (comment), I think it should be changed to invalid cases instead.


Tracking this replacement at #22

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Drop all those unnecessary polyfills