-
-
Notifications
You must be signed in to change notification settings - Fork 934
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow pushing gems with unresolved deps #5344
base: master
Are you sure you want to change the base?
Disallow pushing gems with unresolved deps #5344
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5344 +/- ##
==========================================
- Coverage 97.14% 94.24% -2.90%
==========================================
Files 458 458
Lines 9584 9651 +67
==========================================
- Hits 9310 9096 -214
- Misses 274 555 +281 ☔ View full report in Codecov by Sentry. |
8f8f089
to
24f1091
Compare
54d4d48
to
b531f86
Compare
@@ -26,6 +26,7 @@ def process | |||
authorize && | |||
verify_gem_scope && | |||
verify_mfa_requirement && | |||
verify_dependencies_resolvable && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what do you think of the idea of adding an on: :create
validation to the Dependency
model?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@segiddins Just took a look - Could be off but my understanding is that the on create validation in Dependency would have to prevent the push if the name is unresolved. It seems like for other contexts(not pushing), there is a validation already called use_existing_rubygem
but it just sets the unresolved_name
of the dependency if its not found. If we were to go this route, would it make sense to add a condition into this validation to check whether a gem is being pushed rather than creating a new validation?
I'm leaning towards having it in Pusher because it checks all dependencies in one query and can fail early before creating Dependency objects, which seems more efficient than adding per-dependency validations in the context of pushing. I could totally be missing something though - what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which seems more efficient than adding per-dependency validations in the context of pushing
We're already doing the query though to find the rubygem
in Dependency#use_existing_rubygem
. Adding a validation on: :create
wouldn't require any additional queries. Version#update_dependencies!
is already doing the lookup one-by-one
Since use_existing_rubygem
is a before_validation
hook, I think we would want a new validation, so it becomes easy to scope to on: :create
, but writing one that gives an error message saying which gem name isn't resolved seems both easy and a good idea
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@segiddins
Ah I see, I think I was mistaken in thinking that the additional Dependency
validation would add a query for each dependency. If I'm understanding correctly now, you're saying the new validation wouldn't create extra queries since it would use the results already found by use_existing_rubygem
?
Also wanted to circle back to my point about early validation in Pusher. Say a gem being pushed has 30 dependencies and the last one is invalid, was thinking the validation in Dependency
would do something like this:
1. Create 30 Dependency objects
2. Run use_existing_rubygem 30 times (30 queries)
3. Fail on the last validation
While the Pusher
validation would go something like this:
1. Run one query to check for and return all missing dependencies
2. Fail early since last one is invalid
3. Skip creating any Dependency objects since validation fails (no additional queries)
What are your thoughts on this aspect? I do agree the validation fits more naturally in the Dependency model, but it seems like the early check could save some work. I'm not sure how significant the savings would be in practice though, perhaps a dependency typo is rare event not worth worrying about
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it's significant enough in practice, because we have to do all that work anyways when there isn't a typo
b531f86
to
0bc7b90
Compare
Fixes #5055
This verifies that all dependency names exist when pushing a gem. Wasn't super sure on where to put this in the process flow, thought putting it either inside or after
validate
made sense as well.