merkle-open / env-linter Goto Github PK

Type of issue

• Build

Description

Remove node 12 support check from pipeline. Regarding the node releases site is node 12 end of life by the 30th of april 2022.

As part of the versions-check, check the LTS-property from node-list and stop process execution if a none-LTS version of node is being used.

The LTS-Property contains either the name of the LTS-Version or false if it is not a Long-Term Support version.

This is a follow-up ticket.

Description

Currently the Env-Linter supports node version 10. Node Version 10 is not maintained anymore and therefore needs to be deleted.

Also the packages need to be updated. Package updates that meet the following requirements can be updated:

• Supports node version 12
• Is not a ESM package

The configuration setup was changed in husky [v6](https://typicode.github.io/husky/#/?id=migrate-from-v4-to-v6). Would be nice to add the support for it.

husky v6 hooks are currently not detected:

✖ Git hooks are not installed. Install with "npm i -D husky".

Code referece: https://github.com/merkle-open/env-linter/blob/master/src/hooks-installed.ts#L20-L21

Update documentation (README) on how to use the env-linter.

Use env-linter as a regular dev-dependency (not with npx) because of various reasons.

The automatic code quality checking and analysis was not working since 1. January 2022. What was noticed is, that it is already deprecated and the version v2 is out.

Goal

• Use new code quality v2 (read more)
• Ensure good coverage and functionality

Recently, I have started to get this output:

✔ Your node version 18.16.0 works with the required version (18) of your project.
✖ Change npm version! You are using node 18.16.0 with npm 8.19.2, keep node and npm in sync! Why is this? (​https://github.com/merkle-open/env-linter/tree/master/docs/versions.md​)
✔ Your node version 18.16.0 is a LTS version.
✔ Your node version 18.16.0 is a secure version.
✔ Git hooks are installed.
✔ NPM save-exact config is set to true.
✔ All dependencies in pabau have been installed by exact version definition.
✔ All devDependencies in pabau have been installed by exact version definition.
Stopping any further processes!
error Command failed with exit code 1.

This is running inside a Docker container (ubuntu:20.04) that ran this to install Node:

wget -qO- https://deb.nodesource.com/setup_18.x | bash - && \
    apt-get install --no-install-recommends -y nodejs

Additionally, the URL quoted in the error, https://github.com/merkle-open/env-linter/tree/master/docs/versions.md , does not exist

I would recommend not using this cli with npx.

This for various reasons:
a) The running context for npx is not always the project directory. When e.g. using a node version manager that does not change the complete environment (like nodist) neither the correct node version nor the environment configuration of the project can be found out.
b) Runnability of npx is not given on all environments (on bamboo e.g. you can't use it – )
c) Using npx will first try to load the package from the project if present (--ignore-existing could solve this ;-)
d) And last but not least - Having more controll over usage (API) and better reproducability when loaded as project devDependency – and you'll be more aware when updates are published by maintaining the project.

When I think of npx, it always seems like you never know what you're gonna get.

What do you think?

env-linter should not stop process execution if a newer version of npm is used than the npm version that comes with a specific node-version. Compare node-list.

Change the implementation so that this check only fails if the npm-version is older than the node-version (which I guess is only possible with certain node version managers).

Type of issue

• Feature request

Description

Migrate from commonjs to ESM since most of the packages used are migrating to ESM. This allows us to benefit from all kinds of feature the packages bring (security, new features, performance, etc.)

Travis Configuration is outdated.
We could move to GitHub actions

Hi, I am facing a problem on a fresh install of Ubuntu:

$ yarn env-linter -s || cat .npmrc
yarn run v1.22.19
$ /home/user/repos/bitbucket.org/monorepo/node_modules/.bin/env-linter -s
✖ NPM save-exact is turned off. Why is this?
Stopping any further processes!
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
auto-install-peers=false
strict-peer-dependencies=false
save-exact=true

I get this same error with both 1.0.0 and 2.0.0

If one of the checks fails, it would be nice to provide more information on why it failed and what actions can be taken to fix it.

To make sure the output on the CLI is not too extensive, we could add some kind of Why is this? - link at the end of a failed check. Preferably the additional information is stored in a separate folder (e.g. docs) which contains several markdown files for the individual errors that could occur.

Thanks @jantimon for this suggestion. I am sure this will help new developers understand the errors better. 🤓

Whan having the following setup:

Project Root (git root)
- Folder a (Package json)
- Folder b (Package json with env linter)

Folder a contains a 3rd Party Folder having a package json.
Folder b contains my Project with the env Linter.

The problem is, that when running npm i from Folder b, the env linter also checks the package in Folder a which does not have a valid package json according to the env linter rules.

You can reproduce the problem by checking out this repo: https://github.com/janwidmer/env-linter-bug

and do the following steps:

1. Open the terminal
2. Go into the folder wp-content/themes/my-theme
3. Run npm i
4. See the error:

✖ Not all devDependencies in twentynineteen have been declared by exact version(s). Why is this? (​https://github.com/merkle-open/env-linter/tree/master/docs/dependenciesExactVersion.md​) 
	- [@wordpress/browserslist-config] Approximate version identifier "^" is not allowed.
	- [autoprefixer] Approximate version identifier "^" is not allowed.
	- [chokidar-cli] Approximate version identifier "^" is not allowed.
	- [node-sass] Approximate version identifier "^" is not allowed.
	- [npm-run-all] Approximate version identifier "^" is not allowed.
	- [postcss-cli] Approximate version identifier "^" is not allowed.
	- [postcss-focus-within] Approximate version identifier "^" is not allowed.
	- [rtlcss] Approximate version identifier "^" is not allowed..

Type of request

• Build

Description

• Update packages to newest version
• Upgrade from webpack v4 to v5

As part of the versions-check, check the security-flag from node-list and stop process execution if an unsecure version is being used.

Whenever node releases a new version because of a security vulnerability within node (or npm), the release is flagged with "security": true. We can use this to make sure projects run a secure version of node/npm. More information about the security flag.

This is a follow-up ticket.

What is the point of validating save-exact when running npm ci. Is it happening because we are not able to distinguish between npm install and npm ci?

How am I supposed to handle errors in GitHub Actions which is happening because I do not have there save-exact=true?

We should remove the env-linter from the scope @namics and use a generic name. (e.g. envlinter, environment-linter, ...)