search

dart-lang / pana

Package ANAlysis for Dart
https://pub.dev/packages/pana
BSD 3-Clause "New" or "Revised" License
203 stars 44 forks source link

summary.allDependencies include dev_dependencies #1167

Open jonasfj opened 1 year ago

jonasfj commented 1 year ago

https://pub.dev/packages/googleclouddatastore/pubspec

has summary.allDependencies that includes protoc-plugin.

Context: I noticed this because I have APIs that sanitizes output from pana, and protoc-plugin is not a valid package name, so it complained.

IMO, summary.allDependencies should be all packages that when updated may affect the analysis of this package. Or we should introduce another property on summary that is dependencies as a list of package names that when updated should trigger reanalysis.

isoos commented 1 year ago

Based on the current uses of Summary.allDependencies, I think we may leave out the dev dependencies out of it.

However, while checking the uses of it, I've found that we also add the dev dependencies to the search index without verification: _buildDependencies in https://github.com/dart-lang/pub-dev/blob/master/app/lib/search/backend.dart#L169. We should either provide the fully verified dependencies map through pana, or not add those values to the search index.

sigurdm commented 7 months ago

Seems to still be the case: https://pub.dev/api/packages/googleclouddatastore/metrics?pretty