Skip to content

fix: yarn.lock for frontend plugins #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gashcrumb wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: yarn.lock for frontend plugins #38

gashcrumb wants to merge 1 commit into from

Conversation

@gashcrumb
Copy link
Member

@gashcrumb gashcrumb commented Dec 5, 2025
edited by nickboldt
Loading

This change updates the CLI's frontend script to create a yarn.lock based on the exported plugin package in a similar fashion to backend plugins, with the difference being the resulting node_modules folder is removed afterwards. This makes the exported plugin package for frontend plugins more consistent with backend plugins and allows another means for security scanners to inspect the plugin's dependencies.

Issue: https://issues.redhat.com/browse/RHIDP-11050

@github-advanced-security
Copy link

github-advanced-security bot commented Dec 5, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@gashcrumb gashcrumb force-pushed the RHIDP-11050 branch 2 times, most recently from 6cc96e2 to 139068e Compare December 5, 2025 19:13
@gashcrumb gashcrumb marked this pull request as draft December 8, 2025 14:42
@nickboldt
Copy link
Member

nickboldt commented Dec 9, 2025

had a chat today with Kim and Rogue today to discuss how to move forward and the TL;DR is for the next 6mo:

  • for now the only viable workaround is to include a filtered yarn.lock in the front end oci artifacts; we don't want to ALSO push the node_modules folder into the oci artifacts for the front end (performance degradation)

@gashcrumb gashcrumb marked this pull request as ready for review December 9, 2025 18:43
@gashcrumb
fix: yarn.lock for frontend plugins
920f14e 
This change updates the CLI's frontend script to create a yarn.lock
based on the exported plugin package in a similar fashion to backend
plugins.  This makes the exported plugin package for frontend plugins
more consistent with backend plugins and allows another means
for security scanners to inspect the plugin's dependencies.  This change
also moves functions that are shared between the backend and frontend
commands into a shared utils file so it's more obvious which functions
are common to each command.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 9, 2025

Quality Gate Passed Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@gashcrumb
Copy link
Member Author

gashcrumb commented Dec 9, 2025
edited
Loading

So on the remaining sonarqube complaints:

  • Refactor this function to reduce its Cognitive Complexity from 49 to the 15 allowed. - this is for customizeForDynamicUse which I moved to a common location as it's used by both the frontend and backend export. I'm not keen on refactoring this now tbh
  • The empty object is useless - well, it's not because in both cases it guards against trying to use the spread operator on potentially undefined
  • Extract this nested ternery operation into an independent statement - tbh, I think the solution winds up being more complicated. I've also held off also making this functionality shared between the backend and frontend exports at least for now because the use case is different for each.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kadel kadel Awaiting requested review from kadel

@nickboldt nickboldt Awaiting requested review from nickboldt

@davidfestal davidfestal Awaiting requested review from davidfestal

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gashcrumb @nickboldt