versions icon indicating copy to clipboard operation
versions copied to clipboard

Published 20 hours ago verified publisher icon deps-app

Projects that have dynamic names don't work

Open pmonks opened this issue 7 years ago • 8 comments
trafficstars

We have a single project (fn-fx) that emits two separate artifacts, under different names:

  1. https://clojars.org/fn-fx/fn-fx-javafx
  2. https://clojars.org/fn-fx/fn-fx-openjfx11

It appears that versions doesn't handle that properly, as our dependency status badge is no longer functional:

Dependencies Status

Note: this may be another symptom of issue #5.

pmonks avatar Oct 30 '18 18:10 pmonks

Ouch, yeah the trouble with this is that the project.clj parser doesn't execute any code which is what's needed here to distinguish between the two versions. Will have to noodle on this further.

danielcompton avatar Oct 31 '18 21:10 danielcompton

Here's a possible idea (that may be completely off base, so feel free to shoot it down if it clearly won't work):

Instead of trying to read project.clj files as static data structures, why not just run a leiningen plugin that checks dependencies and updates whatever data structure(s) the versions front end uses? That way you can leverage all of leiningen's built-in magic for "free".

This might even be as simple as just running something like lein-ancient, and then twizzling the output a bit.

pmonks avatar Nov 09 '18 17:11 pmonks

The issue with reading it via a Leiningen plugin is that that causes arbitrary code to be executed. The trick is doing this safely. If I just do this on the Heroku server then I will have arbitrary code execution on the same server, not ideal...

To solve this in the general case I think you'd need to use something like Lambda or a similar isolated code execution environment.

danielcompton avatar Nov 14 '18 08:11 danielcompton

You could execute the leiningen + custom plugin in a container, then throw it away as soon as it's done. The only thing that would survive the container would be whatever data the custom plugin emits (project name, version, dependency graph, etc.). Given that you control the plugin, there's almost no risk of arbitrary code somehow "escaping" the container.

This is how services that are fundamentally based on arbitrary code execution (e.g. TravisCI) handle this kind of thing.

pmonks avatar Nov 14 '18 21:11 pmonks

Yep, that's what I need to do, it's just a tricky problem to solve safely.

danielcompton avatar Nov 15 '18 03:11 danielcompton

Containers provide a safe sandbox in which to execute arbitrary code, and the only component that will be touching the environment outside the container (the custom leiningen plugin) is entirely under your control.

pmonks avatar Nov 15 '18 18:11 pmonks

There's even this library to make managing the temporary container easier.

pmonks avatar Nov 15 '18 20:11 pmonks

For anyone else finding this issue, an alternative approach would be to use the antq lein plugin as a github action, and then self-hosting a badge

vemv avatar Feb 02 '22 07:02 vemv