pub-dev
pub-dev copied to clipboard
dart-lang
Prevent submitting packages with `hook/xx.dart` that are not allowlisted
@jonasfj suggested that we should prevent people from uploading packages to pub.dev with hooks that we haven't specified.
This should be relatively easy to add to the validator.
For now, we'd only allowlist hook/build.dart and hook/link.dart.
Context:
- https://github.com/dart-lang/sdk/issues/54334
cc @mosuem @sigurdm
I think we should at-least consider it. Probably we need to scan all packages to see if anyone is already using this directory.
I guess it would be an overridable warning. Another pub client-side validation?
Or do we want a server-side check?
What about helper files, if my build.dart is getting too complex? Should they not be stored in hooks/src/ or similar?
What about helper files, if my
build.dartis getting too complex? Should they not be stored inhooks/src/or similar?
I'd probably put these in src/. I think for bin/ scripts we also store the complex logic in src/. The bin/ and hook/ directories should only contain the entry-points. cc @jonasfj @sigurdm
Is this language versioned? (will future sdk's potentially allow more files here)?
I think we are converging on a server-side check. That is easier to update/relax over time.
Let's make a server side map:
final _hookMinimumRequiresSdkForFile = {
// because if you have "hook/build.dart" in the package
// then you must have 'environment.sdk' with a minimum bound of 3.45.0
// The actual version number is illustrative.
'build.dart': '3.45.0',
};
I think we are converging on a server-side check. That is easier to update/relax over time.
Ah right, because we can just deploy a new version. With a client-side check we have old versions of Dart/pub client floating around forever. (Though I guess users could never submit a package with a newer version of Dart than the SDK they have locally.)
You're the experts, sgtm!
