feat: add ghost dependency lint + CI enforcement#4546
feat: add ghost dependency lint + CI enforcement#45462heal1 merged 2 commits intomodule-federation:mainfrom
Conversation
- scripts/check-ghost-deps.mjs: 扫描 packages/*/src/ 下所有 import, 对比各包 package.json 声明,输出未声明的第三方依赖(幽灵依赖) 支持 --fix 模式打印 pnpm add 修复建议 - package.json: 新增 lint:deps script - .github/workflows/check-ghost-deps.yml: 需手动添加(PAT 缺 workflow scope) 当前仓库存在以下幽灵依赖(待后续 PR 补声明): - enhanced: fast-glob, tapable - dts-plugin: directory-tree, vitest - manifest: webpack - modern-js/v3: vitest - native-federation-tests: directory-tree, vitest - native-federation-typescript: directory-tree, vitest, webpack - node: tapable - rsbuild-plugin: vitest - sdk: @jest/globals, node-fetch, webpack - storybook-addon: storybook - third-party-dts-extractor: react, tsup, vitest - typescript: axios, tapable
|
✅ Deploy Preview for module-federation-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c0d5a84cbd
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| const pkgDirs = fs | ||
| .readdirSync(PACKAGES_DIR, { withFileTypes: true }) | ||
| .filter((e) => e.isDirectory()) | ||
| .map((e) => path.join(PACKAGES_DIR, e.name)); |
There was a problem hiding this comment.
Discover package manifests recursively under packages
This directory enumeration only inspects the first level under packages/, so grouped package folders are never linted as actual packages. In this repo, nested publishable packages such as packages/bridge/* and packages/runtime-plugins/* are skipped entirely (their package.json files are not at the first level), which means ghost dependencies in those packages can slip through while the new CI job reports success.
Useful? React with 👍 / 👎.
| // Scan src/ directory (some packages may have lib/ or root directory, also scan one level as fallback) | ||
| const srcDir = path.join(pkgDir, 'src'); | ||
| const files = walkDir(srcDir, ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']); |
There was a problem hiding this comment.
Scan package root when src is missing
The checker only walks <pkg>/src, even though the comment says there should be a fallback, so any package whose source files live outside src is effectively unchecked. For example, packages/metro-plugin-rnc-cli uses index.js at the package root, and undeclared imports there would never be reported by this lint gate.
Useful? React with 👍 / 👎.
背景
防止幽灵依赖(Ghost Dependency):代码里 import 了某个包,但该包没有在自己的
package.json里声明,靠 pnpm hoist 到根node_modules才能用。改动
scripts/check-ghost-deps.mjs轻量 Node.js 扫描脚本(无需
pnpm install即可运行):packages/*/src/下所有.ts/.tsx/.js/.jsx文件@module-federation/*workspace 包、虚拟模块package.json的dependencies/devDependencies/peerDependencies--fix模式打印pnpm --filter <pkg> add ...修复建议本地运行:
package.json新增
lint:depsscript。