workiva / dependency_validator Goto Github PK

Release a null-safe version of this package.

From @michaelcarter-wf:

[1:11 PM] Michael Carter: I can't seem to get dependency_audit to ignore some packages:

$ pub run dependency_validator --ignore coverage,dart_style,dartdoc,over_react_format,semver_audit,designated_driver
   Validating dependencies for workflow_client
   These packages are used outside lib/ but are not dev_dependencies:
     * designated_driver
     * shelf
     * shelf_proxy
     * w_router
     * w_webdriver_utils

Note that designated_driver is supposed to be ignored but still shows up in the warnings.

Hey there,
I use this quite often when I am testing out a bunch of different packages and seeing what I like best as sometimes I will remove something from code but forget to remove it from the pubspec. There are a decent number of them, though, that need to stay in there for various reasons, but end up showing up on the list and it can be a pain to try and add them as an ignore each time.

Is it possible that, perhaps, something like this could be used?

Example:

  cross_local_storage: ^1.1.1
  draggable_scrollbar: ^0.0.4
  event: ^1.1.4
  event_bus: ^1.1.1 #skip
  eventsubscriber: ^1.2.0
  file_picker: ^1.11.0+2 #skip
  flutter_markdown: ^0.4.1
  get_it: ^4.0.2

Then the ones that have #skip (or whatever would be best to use) do not get included in the output after a check? If not that, then what might also work is perhaps something like:

// dep_ignore.json
{
  event_bus: ^1.1.1
  eventsubscriber: ^1.2.0
  file_picker: ^1.11.0+2
}

> dependency_validator --skip-file=dep_ignore.json

Really, anything would help, as I am making a desktop app and I have a fairly large number of them that would end up on the list. So being able to do at least something with the ones I know I will always skip would be quite nice.

Thanks,
-MH

dev_dependencies:
  flutter_native_splash: ^1.2.3

This show error:

The following packages contain executables, they are assumed to be used:
  * flutter_native_splash

What does it mean and how to fix it?

Running dependency_validator --help should print usage info for this command.

Right now, it errors:

Unhandled exception:
FormatException: Could not find an option named "help".
#0      Parser.validate (package:args/src/parser.dart:256:21)
#1      Parser.parseLongOption (package:args/src/parser.dart:245:7)
#2      Parser.parse (package:args/src/parser.dart:86:11)
#3      ArgParser.parse (package:args/src/arg_parser.dart:133:45)
#4      main (file:///Users/greg.littlefield/.publink/dependency_validator/bin/dependency_validator.dart:32:32)
#5      _startIsolate.<anonymous closure> (dart:isolate-patch/isolate_patch.dart:263)
#6      _RawReceivePortImpl._handleMessage (dart:isolate-patch/isolate_patch.dart:151)

It would like to be able to use this plugin as part of CI/CD.
mainly -
if it detects an unused package, it should fail the build.
Right now I see that it only prints to the cli.

So if you could add a flag like --fail-on-unused-package or something,
and this flag would cause the execution to terminate with an error code -
that would be enough for us to use this in CI/CD -
simply run flutter pub run dependency_validator --fail-on-unused-package, and if it fails - the build fails.

WDYT?

I updated to version 2.0.0 and I'm running into an error where the path to the build config is unable to be found. I get the following error message:

Unhandled exception:
FileSystemException: No file found, path = 'D:\D:/tools/flutter/.pub-cache/hosted/pub.dartlang.org/cupertino_icons-1.0.0/pubspec.yaml'
#0 _fromPackageDir (package:build_config/src/build_config.dart:198:3)

#1 BuildConfig.fromPackageDir (package:build_config/src/build_config.dart:32:27)
#2 dependencyDefinesAutoAppliedBuilder (package:dependency_validator/dependency_validator.dart:316:24)
#3 run (package:dependency_validator/dependency_validator.dart:263:15)

#4 main (file:///D:/tools/flutter/.pub-cache/hosted/pub.dartlang.org/dependency_validator-2.0.0/bin/dependency_validator.dart:79:9)
#5 _startIsolate. (dart:isolate-patch/isolate_patch.dart:299:32)
#6 _RawReceivePortImpl._handleMessage (dart:isolate-patch/isolate_patch.dart:168:12)

At first glance it looks like an additional drive label is being appended, however, I printed out the pubspec variable inside of _fromPackageDir and that returned /D:/tools/flutter/.pub-cache/hosted/pub.dartlang.org/cupertino_icons-1.0.0/pubspec.yaml. So perhaps it's just windows paths being formatted incorrectly.
I tested this out on my mac and everything works fine.

Flutter Doctor

[✓] Flutter (Channel stable, 1.22.4, on Microsoft Windows [Version 10.0.19041.630], locale en-US)
[✓] Android toolchain - develop for Android devices (Android SDK version 30.0.2)
[✓] Android Studio (version 3.6)
[✓] VS Code (version 1.51.1)

I found this dependency on https://pub.dev/packages/dependency_validator

It says it is Flutter compatible (the dark blue box with Flutter in white)

I added:

dev_dependencies:
  dependency_validator: ^1.4.2

to the pubspec.yaml of Flutter project.

I opened Terminal and CD to the project.
I then enter:

$ pub run dependency_validator
The Flutter SDK is not available. // <- output

On the off chance I though I would try:

flutter pub run dependency_validator
Failed to precompile build_runner:graph_inspector:
../../.pub-cache/hosted/pub.dartlang.org/build_resolvers-1.2.1/lib/src/resolver.dart:263:31: Error: Too many positional arguments: 2 allowed, but 3 found.
Try removing the extra positional arguments.
  var sdk = FolderBasedDartSdk(resourceProvider, dartSdkFolder, true) // <- output, but this carries on for a while

Thanks!

From the README:

Some packages are not imported by any dart files but are used for their executables.

Based on this sentence I'm assuming that only import statements are found programatically. There is another way that a dependency can sneak in that you might want to consider, or at least warn in the readme so it can be treated the same way as executables.

If a class is returned from an API that isn't defined in the package, you can silently be depending on a method signature defined in some other package that you might not import.

import 'package:b/b.dart' as b;
// no import to package:c

void main() {
  b.someBMethod().someCMethod();
  // If someBMethod returned a class from C I have an implicit dependency on C
}

Here package:b could plausibly move to a new version of package:c without a breaking change version bump.

With type inference this 'type leaking' can happen in sneaker ways:

import 'package:b/b.dart' as b;
// no import to package:c

void main() {
  // Assume someBMethod has the signature: int someBMethod(C c)
  var x = someBMethod;
  x = (value) => value.someCMethod();
 // due to type inference I got autocomplete and would now break if someCMethod is renamed.
}

For example:

/mypackage
  ...some code...
  /example
    ...some code...
    pubspec.yaml
  pubspec.yaml

then when considering mypackage, should not consider files in example subpackage

git:(master) ✗ >pub global activate dependency_validator
Resolving dependencies... (9.4s)

• args 1.6.0
• charcode 1.1.3
• collection 1.14.12
• dependency_validator 1.5.0
• logging 0.11.4
• meta 1.1.8
• path 1.7.0
• pub_semver 1.4.4
• source_span 1.7.0
• string_scanner 1.0.5
• term_glyph 1.1.0
• yaml 2.2.1
  Downloading dependency_validator 1.5.0...
  Downloading logging 0.11.4...
  Downloading pub_semver 1.4.4...
  Downloading yaml 2.2.1...
  Downloading charcode 1.1.3...
  Downloading path 1.7.0...
  Downloading string_scanner 1.0.5...
  Downloading meta 1.1.8...
  Downloading source_span 1.7.0...
  Downloading term_glyph 1.1.0...
  Downloading args 1.6.0...
  Downloading collection 1.14.12...
  Precompiling executables... (1.4s)
  Precompiled dependency_validator:dependency_validator.
  Activated dependency_validator 1.5.0.
  git:(master) ✗ >dependency_validator --ignore coverage,dartdoc
  zsh: command not found: dependency_validator

For example, its content:

include: package:mypackage/my_analysis_options.yaml

Then mypackage is used indeed.

The flag --no-fatal-dev-missing is available but undocumented in the README.

When a package isn't imported, dependency_validator will print the following message if it has bin scripts.

The following packages contain executables, they are assumed to be used:

However, a dependency that isn't referenced in lib should always be a dev_dependency. As a result, I propose that if a package is listed under dependencies and is unused, but has scripts, then dependency_validator should fail and suggest moving the package into dev_dependencies

At the moment dependency validator thinks that this is real import:

void main() {
  final content = '''import 'package:test/test.dart';'''
  ...
}

Depency Validator should enforce that depencies used as transformers are in dependencies.

Readme stats to use the command
pub run dependency_validator but it didn't work for me

https://github.com/Workiva/dependency_validator#usage

Found that
dart run dependency_validator
is working

Is it possible to get output as JSON ?

add option in config for ignore warning if exist pinned dependencies

example:

build_runner: 2.1.7

Hi thanks for the package! It seems that many can be automatically fixed. Maybe directly edit pubspec yaml, or use command like dart pub add.

Currently, we detect dependency usages with regex matching. This is fast, but can produce false positives (#21). It's also separate tool that needs to be run manually and added to CI.

To address these, we should consider implementing the current logic as a plugin to the Dart analysis server. Users would get results as a part of their existing static analysis (including via IDEs for more immediate and continuous feedback).

For some reason, we want to ignore "These packages are used outside lib/ but are not dev_dependencies" case.
Is it possible add a config that ignore this check and return zero for pass checking ?

Some projects have nested packages in example/ or something similar which can lead to inaccurate results when running dependency_validator. We should allow users to exclude directories to address this issue.