New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent submitting packages with hook/xx.dart
that are not allowlisted
#7541
Comments
I think we should at-least consider it. Probably we need to scan all packages to see if anyone is already using this directory. |
I guess it would be an overridable warning. Another pub client-side validation? Or do we want a server-side check? |
What about helper files, if my |
I'd probably put these in |
Is this language versioned? (will future sdk's potentially allow more files here)? |
I think we are converging on a server-side check. That is easier to update/relax over time. |
Let's make a server side map: final _hookMinimumRequiresSdkForFile = {
// because if you have "hook/build.dart" in the package
// then you must have 'environment.sdk' with a minimum bound of 3.45.0
// The actual version number is illustrative.
'build.dart': '3.45.0',
}; |
Ah right, because we can just deploy a new version. With a client-side check we have old versions of Dart/pub client floating around forever. (Though I guess users could never submit a package with a newer version of Dart than the SDK they have locally.) You're the experts, sgtm! |
@jonasfj suggested that we should prevent people from uploading packages to pub.dev with hooks that we haven't specified.
This should be relatively easy to add to the validator.
For now, we'd only allowlist
hook/build.dart
andhook/link.dart
.Context:
hook/
directory 🪝 sdk#54334cc @mosuem @sigurdm
The text was updated successfully, but these errors were encountered: