Shopify/packwerk

[Bug Report] Dependency violation not detected when using public folders or in non-public folder with dependencies specified

jibeizhao opened this issue · 1 comments

Description
I leaned that we still need to addd the dependency to the list even after move the codes to the public folder, from the demo video and the packwerk blog

references from Package A to Package B are valid if:

Package A declares a dependency on Package B, and;
The referenced constant is a public constant in Package B

To Reproduce

  1. public folder does not raise:
git clone  https://github.com/jibeizhao/packwerk-test.git
bundle install
git checkout main
packwerk check

If you look at app/models/building/package.yml there is not dependencies specified, and there is actually a violation in the house.rb

  1. private folder does not raise with dependencies:
git checkout private-folder
packwerk check

this branch has the truck.rb in the non-public folder and dependency specified in the building package, it should raise violation.

Version Information

  • Packwerk: v3.0.1
  • Ruby v3.2.0

Hi @jibeizhao ! Thanks for your question.

A lot has changed since that video and blog post were produced. As of Packwerk 3, privacy enforcement has been moved to https://github.com/rubyatscale/packwerk-extensions. If you have issues with privacy enforcement specifically, that would be the best place to get help.

That being said – the issue here is that dependency and privacy violations are totally independent.

  • Packwerk thinks something is a privacy violation if you’re referencing a constant/class/module defined in the private implementation (i.e. not the public folder) of another pack
  • Packwerk thinks something is a dependency violation if you’re referencing a constant/class/module defined ANYWHERE but your pack doesn’t list it as an explicit dependency.

In this case, making something public can resolve a privacy violation, but has no effect on dependency violations. Dependency violations will show up if you reference a constant (public OR private) but do not list a dependency on the package that defines that constant.