Build package as both CJS and ESM #203
Conversation
|
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring: Next stepsTake a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with |
|
New dependencies detected. Learn more about Socket for GitHub ↗︎
|
| - prepare | ||
| strategy: | ||
| matrix: | ||
| node-version: [16.x, 18.x, 20.x] |
There was a problem hiding this comment.
We probably don't need to run build on all these Node versions. But can be fixed in another PR.
There was a problem hiding this comment.
Agreed, but out of scope for this PR.
|
After some more testing, I found that Browserify does not support the import { bar } from '@metamask/bar/baz'; // dist/cjs/baz/index.jsThis will work fine in Node.js, Webpack, etc., but in Browserify this results in an error:
I have an idea on how this can be solved, but will put it into draft until this has been tested. |
|
Could you elaborate on the connection between that problem, and the contents of this PR? I see that this PR adds the |
Sure. The problem is that packages that don't use Browserify could import in ways that are not supported by Browserify. For example, if We solved this in the Snaps repo by explicitly exporting Ideally we avoid importing from I hope that makes sense! |
|
Thanks! Makes sense. Perhaps in the meantime we could use the |
I hadn't even considered that we don't need |
|
@SocketSecurity ignore @swc/[email protected] These packages are expected to have filesystem and shell access. And core needs a postinstall script to prepare native code. |
|
@SocketSecurity ignore-all The remaining alerts are regarding packages used by SWC with access that seems reasonable for them to have, and new author/unmaintained warnings (none of which seem suspicious). |
Mrtenz
dismissed stale reviews from Gudahtt, FrederikBolding, and mcmire
via
455030a
| @@ -0,0 +1,18 @@ | |||
| { | |||
There was a problem hiding this comment.
Just leaving a comment here for future reference.
When we change the package to use SWC for other parts of the stack, such as testing, we need to keep in mind to use a different .swcrc file. This one is explicitly ignoring test files and such, so will not work with Jest.
Instead of transpiling the source code to just CJS, we now transpile it to ESM as well. This is beneficial for projects using bundlers that are capable of tree-shaking (such as MetaMask Snaps), because it's much easier to determine whether the code has side effects or not.
For the transpilation, we now use SWC rather than TSC. This avoids having to do type checking twice, which is quite slow. TypeScript is still used for generating the declaration files, however, so the code is still being type-checked.
This is based on a change in the Snaps repository (MetaMask/snaps#1519), which has been tested in the extension, so this shouldn't cause any problems there.