Closed wesley-dean-flexion closed 2 months ago
The project seems to have recent commits, but no releases since 3 years ago. Is it a linter commonly used in its respective domain?
One of the teams with whom I work uses it fairly extensively and it facilitates some functionality I'm trying to codify. The phrase that enters my mind is "policy compliance" even though it's closer to "are they following our recommendation?".
For example, one of our recommendations was that repos should have a .pre-commit-config.yaml
file; ideally, it should reference gitleaks, detect-secrets, etc. but that's really secondary. We can't tell if a developer is using pre-commit to keep secrets out of their commits; however, we can tell if a developer is not if the config file isn't there.
So, we would have a file-exists
rule with a glob that matches .pre-commit-config.yaml
.
That specific use-case aside, I believe there is value is in recommending a set of rules that help make it easier for repositories to adopt practices designed to help repository maintainers make community-friendly repos. So, encouraging folks to have CODEOWNERS and README files (etc.), adopt dependency maintenance tools (Dependabot, Renovate, etc.), and so on may help make the OSS world a better place.
recent commits, but no releases since 3 years ago
I'm not very surprised from a functionality perspective (once you get file-exists
working, I'm not sure how much maintenance of that code would be required). I will say that I'm a little disappointed from a dependency update / vulnerability perspective, for sure.
Thank you for the feedback, @echoix. It's very helpful for supporting intentional decisions.
If you try to find other issues where we introduced linters, there's a couple of guidelines that we try to follow.
Some factors we use:
Fair comments.
npm audit --dry-run
asserts that there are 2 criticals and 5 highs and that's not very comforting)docker build -t repolinter .
is 1.3GB. The list of dependencies listed is a little breath-taking (Ruby plus Python plus Perl plus the C/C++ build stack) just to build a Node app; it would be one thing if the it was a multi-stage build.. but it's not....and I would also add:
That said, I think it could add value, especially in situations where a group may have domain-specific rules that they want to enforce.
I share @echoix's thought as the latest release is from 2021 😨
But nothing prevents to create a MegaLinter Plugin, that way we are not responsible about the security around it and people use it at their own will and risk :)
create a MegaLinter Plugin
Ohh, good point! I keep forgetting about that option :facepalm:
If you try to find other issues where we introduced linters, there's a couple of guidelines that we try to follow.
Some factors we use:
- Actively maintained
- Not really new/recognized by the community
- Plays nice with other linters already there (especially npm ones)
- Useful
- Isn't dangerous (goes a little bit with the actively maintained criteria)
- Installed sized and linting speed. Introducing a linter that does almost nothing but takes 0.8 GB more space, or slows everyone by minutes doesn't have its place.
- Isn't too annoying for users when introducing it and enabled by default.
I love this list, we should add it somewhere in the documentation, and maybe use it to remove some linters for the next major version :)
Current candidates are protolint and sql-lint as they are not maintained and full of CVEs 😇
I share
Sure. It sounds like it's not a good match. That's totally fine -- it's why I asked before doing the work!
I'll close this out here. If anyone comes along afterwards, they can find this conversation.
Thank you, @nvuillam and @echoix for your help, your time, and your wisdom.
@wesley-dean-flexion if you really want to use repolint in MegaLinter, just write the descriptor in another repo, or directly in repolint repo, and you can use it as a plugin :)
The descriptor format is the same than for internal descriptor, except that you are restricted to RUN instructions for installation
I swear I submitted something like this already but I can't find it, so I must be hallucinating..
Is your feature request related to a problem? Please describe.
There's a group that provides Repolint, a "linter" that "lints" repositories. The rulesets (default ruleset) are configured via JSON file; the rules may be of the following types:
An example rule is:
which would throw an error (alternatively, it could throw a warning) if there is no file that matches
README*
(case-insensitive glob in this case). That is, the ruleset requires the conditions under which the repository would pass (so, read this as "the repo must have a README")Describe the solution you'd like
I would like to add
REPOSITORY_REPOLINT
. I'm happy to do the implementation. My request here, like with #3493, is whether or not folks think this is a good idea to add.Describe alternatives you've considered
...not..using Repolint?
Additional context
I'm happy to do the work if folks thing it's worth it and it's in alignment with the vision for MegaLinter.