All Gemfile.lock dependencies are treated as 'runtime'

Question

All Gemfile.lock dependencies are treated as 'runtime'

havocp opened this issue 6 years ago · 3 comments

havocp commented 6 years ago

https://github.com/librariesio/bibliothecary/blob/master/lib/bibliothecary/parsers/rubygems.rb#L38

How could we do better here?

Answer 1 · 2018-09-20T18:02:06.000Z

So the rule in the rubygems/ruby world, in the case of libraries, would be:

Everything in the Gemfile/Gemfile.lock file is a development dependency, because the Gemfile is never evaluated at runtime.
In the gemspec, add_development_dependency is used for development dependencies, and add_runtime_dependency for runtime dependencies.

But this is only for libraries, for final application it's a whole different thing.

Answer 2 · 2018-09-20T18:16:31.000Z

That sounds like we might need a configuration option of some kind to set the type to assign to gemfile deps... or maybe the "type" we assign to Gemfile packages by default shouldn't be dev vs. runtime at all but more something noncommittal like "gemfile" or "unknown", and then it can be configured? Or possibly a default like runtime is more useful, as long as it can be corrected via config for libraries.

Answer 3 · 2018-09-20T18:24:07.000Z

If this library is used also for final applications, the I'd say you need to detect whether you're analyzing a library or an application, and then act accordingly. If this library is only be meant to be used by libraries, then would anyhing break if you assign "development" instead of "runtime" to all dependencies coming from the Gemfile?