Assertions on transitive dependencies
jfirebaugh opened this issue · 3 comments
Thanks for making syncpack, it's been very useful for us at Figma!
Description
I often want to make assertions not just about what packages are directly depended on, but also about how transitive dependencies have been resolved.
Examples include:
- Assert that react resolves to a consistent version globally, whether it's a direct dependency or a transitive dependency.
- Assert that a package version with a security vulnerability is not present anywhere in the dependency tree.
- Assert that certain common packages are resolved consistently, whether direct or transitive, to avoid filesystem bloat (typescript, babel, aws-sdk, etc.)
Suggested Solution
It would be nice if syncpack supported this somehow. Perhaps there should be a special type of version group that applies to transitive dependencies, or it should be an additional property on existing version group types.
For my purposes, it's fine if this was a "check only" feature. That is, I would like syncpack lint to check this, but I don't necessary expect syncpack fix to be able to fix it (sometimes there's a package manager upgrade command that can fix it, but sometimes it requires types of manual intervention that can't be automated).
Help Needed
Thanks @jfirebaugh, I see the need for this but I think it's outside of the scope of syncpack – you'd have to go pretty deep on the various lockfile formats, package managers etc – even TypeScript config and bundler config can play a role. It would be a lot of work and best handled by a specialised tool and team focused on that problem on its own.
Thanks for raising, but it's not something I have bandwidth to take on.
Totally fair! Thanks again for what you have built!
You're welcome 👍