Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No way to block a child addon from loading #26

Open
jamesarosen opened this issue May 24, 2018 · 1 comment
Open

No way to block a child addon from loading #26

jamesarosen opened this issue May 24, 2018 · 1 comment

Comments

@jamesarosen
Copy link

jamesarosen commented May 24, 2018
edited
Loading

I have an addon, parent, that has as a dependency, another addon, insecure-child. I'd like to include parent in my application, but insecure-child has an unpatched security problem, so I'd like to block it. (It's critical only to parts of parent that my application doesn't use.)

Things I've tried:

Blacklist

// my-app/ember-cli-build.js
let app = new EmberApp(defaults, {
  addons: { blacklist: ['insecure-child'] }
})

ember-cli throws an exception saying that child is not found.

Monkey-Patch shouldIncludeChildAddon

// my-ap/ember-cli-build.js
const EmberAddon = require('ember-cli/lib/models/addon')
const shouldIncludeChildAddon = EmberAddon.prototype.shouldIncludeChildAddon
EmberAddon.prototype = function(child) {
  return child.name === 'insecure-child' ? false : shouldIncludeChildAddon.call(this, child)
}

This doesn't work because ember-cli-preprocessor-registry runs before ember-cli-build loads.

Configurable child blacklist

If I control parent, I can override shouldIncludeChildAddon there. My first instinct was

// parent/index.js
config(environment, appConfig) {
  this.addonBlacklist = (appConfig.parent.addons || {}).blacklist || []
}

shouldIncludeChildAddon(child) {
  return !this.addonBlacklist.includes(child.name)
}

The problem with this is that shouldIncludeChildAddon is called before config is called. I could call this.parent.config(), but I don't have an environment to pass it.
@jamesarosen
Copy link
Author

I ended up doing this:

// parent/index.js
const shouldExcludeInsecureChild = process.env.EXCLUDE_INSECURE_CHILD === 'true'

init() {
  if (shouldExcludeInsecureChild) return
  if (this.parent.addonPackages['insecure-child'] != null) return
  console.warn(`
WARNING: in v2.0, parent will change insecure-child to an optionalDependency.
If you want to use insecure-child, add it to your project's package.json as a dependency.
If you do not want to use insecure-child, set EXCLUDE_INSECURE_CHILD to "true"
  `)
}

shouldIncludeChildAddon(child) {
  return child.name !== 'insecure-child' || !shouldExcludeInsecureChild
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jamesarosen