search

Meteor-Community-Packages / check-npm-versions

Enforces "peer" npm dependencies in Meteor 1.3+ Atmosphere packages.
MIT License
11 stars 10 forks source link

importing npm sub-folders can confuse checkNpmVersions #29

Closed brucejo75 closed 3 years ago

brucejo75 commented 3 years ago

This had me confused for quite a while today...

Repro

I am using nanoid@2.0.1.

In my package I

import { checkNpmVersions } from 'meteor/tmeasday:check-npm-versions';

checkNpmVersions({'nanoid': '2.0.1'}, 'meris:base');

const nanoid = require('nanoid/generate');

Result

Error message output:

WARNING: npm peer requirements (for meris:base) not installed:
  - nanoid@2.0.1 not installed.

Read more about installing npm peer dependencies:
  http://guide.meteor.com/using-packages.html#peer-npm-dependencies

Discussion

I believe that modules-runtime scans all the code looking for all import / require statements. Then if fills out a file tree structure based on those scans.

If you only reference a subfolder in an import or require, e.g.

import 'packageName/subfolder`;

modules-runtime would be unaware of anything in node_modules/packageName it would only be aware of what is in node_modules/packageName/subfolder. So it cannot find node_modules/packageName/package.json.

Workaround

essentially you can whitelist package.json for checkNpmVersions just like dynamic import whitelisting: 

if(false) {
  require(`packageName/package.json`)'
}

FIX?

Not sure how this could be fixed in this case? Maybe this should be documented?

brucejo75 commented 3 years ago

I think #30 would resolve this.

brucejo75 commented 3 years ago

@copleykj, Thanks for the quick response!

copleykj commented 3 years ago

Yeah, unfortunately there isn't much to do but document because of the way the build system works.

In all reality, this package was a bandaid and honestly this functionality deserves first class support within the build system and this package retired.