Replies: 2 comments
-
Thanks very much for this, Aaron. We try and keep the issues list reserved for bugs and features that we are committed to implementing. I’m not saying we won’t make code changes as a result of this report, but it is working as we designed it for now, and any changes to how it works need discussion before we agree on implementation. I’m going to move this issue to a discussion, where we discuss changes and enhancements, and I’ll make a much more detailed comment there. Thanks again! |
Beta Was this translation helpful? Give feedback.
-
Thanks very much for raising this, Aaron. The intention of this feature is purely to make developers aware that they may wish to look more carefully at a package and its manifest to understand what it does before using it as a dependency. I worked hard to make sure there were no negative connotations in the message, and we use a blue “information” icon rather than anything more alarming. We also redirect people to both the README and LICENSE files in the package repository for more information. This is the first time I’ve seen a package plugin use a binary target, and while there is merit to your argument that it doesn’t end up in the binary that includes your package, as a developer, I would still appreciate being told to have a closer look and so I’d come down on the side of keeping the message there in this case. If it were easy to determine where the binary target was used, then I’d potentially be in favour of having a different message that included the word plugin in it, but I would still advocate for the site to show some kind of message. Unfortunately, tweaking that message based on this condition would be a big job as we don’t have target dependencies mapped in that kind of detail. All we bring in is a flat list of targets and types. It’s not out of the question to do a more comprehensive job at extracting target information, but my personal view is that it wouldn’t be warranted to enable a tweaked message. Happy to discuss it more here, of course. |
Beta Was this translation helpful? Give feedback.
-
This is more unexpected behavior than a bug. I added a new package, AppStoreConnect, to the Index today. While looking at the page, I saw a "This package contains binary-only targets" message towards the top. I was perplexed at first, until I realized that the binary target that's being referred to is the CreateAPI artifactbundle, which is used with a package plugin defined elsewhere in the manifest. At no point is this binary target a member of the library product that I am exposing in my package, nor is it used as part of the build of any target (except the plugin).
I'm worried that surfacing incorrect information like this could be misconstrued by potential users. Is it possible to improve the heuristic used to discover binary targets in a package to filter out situations like this?
Beta Was this translation helpful? Give feedback.
All reactions