Design footgun. If you don't call `parse()` the CLI silently ignores all flags

[Veetaha]

The PR title pretty much describes it, so I'd rather tell the full story of how I discovered it and why I think it's a design footgun 🦵 🔫

I've written a command like this that takes zero arguments and zero flags. It just performs a single action without any CLI-level parameterization:

import { Command } from "@oclif/core";

export default class Destroy extends Command {
    static override description = "Destroys the application stack";

    async run() {
        // Destroy goes brr....
        console.log("Destroy completed!");
    }
}

And I've been happy with it for a while because everything seemed to work fine. But then after some time, I noticed something weird. I've been writing commands like deploy --foo bar and destroy interchangeably until I realized that I wrote destroy --foo bar mistakenly and it silently worked! I could write any gibberish like destroy --asd- wew rdf- and the CLI ate it just fine.

I've been scratching my head for some time with this trying to find existing issues in oclif about the bugs in ignoring unknown/extra flags until I actually realized what I did wrong. I just forgot to add this into my run() method:

await this.parse(Destroy);

This is something I would never think about because I didn't need to take any input for my command so I thought I didn't need to parse anything but it was wrong. Parsing not only reads the input but also validates for extra parameters in the CLI which isn't something one would think about first, because people tend to think about the successful cases first, and relying on the CLI library to handle the syntax errors for them as granted.

Having this ceremony of calling this.parse() even if you don't need to take any arguments is something I think is wrong by design. The feature of parsing the CLI input must be provided by default and not opt-in. Instead, there can be an option to opt-out.

I'd imagine an API where we don't need to call parse() at all, and instead the run() method accepts the args/flags as its parameter. I know there may be some other nuances with this and this breaks the compatibility, but I just want to point out that this design footgun exists so people should keep it in mind. At the very least a warning can be added to the docs to try to prevent this problem

[cristiand391]

I don't have the whole historical context but oclif used to be split cross several packages (today most is included in @oclif/core), the parser was one of those:
https://github.com/oclif/parser

and oclif/command would do a lazy require (perf) only if you called this.parse:
https://github.com/oclif/command/blob/e4ef0f10bfe196bae1a935457818fa07a90301cb/src/command.ts#L161

so it could be that the opt-in behavior was to optimize startup time, and over time we just carried the same implementation.
There's probably more related to it, I can ask my coworker when is back from PTO in a few weeks.

[mdonnalley]

@Veetaha I believe that @cristiand391 is right - it's probably a vestige of previous era of oclif.

I do agree with you, however, that's it not a great design for most people

However, I think we'll probably need to keep it as it is because there are legitimate use cases where you want to put the call to parse somewhere else

• Like a custom base class: https://oclif.io/docs/base_class
• You'd like to do some sort of validation before calling parse (e.g. is the command being run from the right directory)

I'll keep this open though because it might be helpful to others to see and there's still a possibility that we could address it in a new major version

Hope that helps!

[git2gus]

This issue has been linked to a new work item: W-19992616