Open jamesarosen opened 6 years ago
I ended up doing this:
// parent/index.js
const shouldExcludeInsecureChild = process.env.EXCLUDE_INSECURE_CHILD === 'true'
init() {
if (shouldExcludeInsecureChild) return
if (this.parent.addonPackages['insecure-child'] != null) return
console.warn(`
WARNING: in v2.0, parent will change insecure-child to an optionalDependency.
If you want to use insecure-child, add it to your project's package.json as a dependency.
If you do not want to use insecure-child, set EXCLUDE_INSECURE_CHILD to "true"
`)
}
shouldIncludeChildAddon(child) {
return child.name !== 'insecure-child' || !shouldExcludeInsecureChild
}
I have an addon,
parent
, that has as adependency
, another addon,insecure-child
. I'd like to includeparent
in my application, butinsecure-child
has an unpatched security problem, so I'd like to block it. (It's critical only to parts ofparent
that my application doesn't use.)Things I've tried:
Blacklist
ember-cli throws an exception saying that
child
is not found.Monkey-Patch
shouldIncludeChildAddon
This doesn't work because ember-cli-preprocessor-registry runs before
ember-cli-build
loads.Configurable child blacklist
If I control
parent
, I can overrideshouldIncludeChildAddon
there. My first instinct wasThe problem with this is that
shouldIncludeChildAddon
is called beforeconfig
is called. I could callthis.parent.config()
, but I don't have anenvironment
to pass it.