feat(v2-sdk): separate esm / cjs builds #222
Conversation
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
|
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/[email protected] |
|
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again. Next stepsWhat is filesystem access?Accesses the file system, and could potentially read sensitive data. If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. What is dynamic require?Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution. Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. What is shell access?This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code. Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
just-toby
force-pushed
the
feat/v2-sdk-build
branch
2 times, most recently
from
0087b48 to
fcdbbde
Compare
just-toby
force-pushed
the
feat/v2-sdk-build
branch
from
fcdbbde to
401913b
Compare
just-toby
changed the base branch from
feat/universal-router-sdk-esm-build
to
feat/router-sdk-build
just-toby
force-pushed
the
feat/router-sdk-build
branch
from
c6c87a9 to
9f045cc
Compare
PR Scope
breaking change to build structure for
v2-sdkDescription
updates the build setup for
v2-sdkto manually and explicitly create separate cjs and esm builds (plus a types-only version)How Has This Been Tested?
built the sdk locally, then installed the local build result in another project (
universe/apps/web) and verified that it properly resolved the esm version instead of the cjs versionAre there any breaking changes?
there shouldn't be, but technically if an end user is importing incorrectly (by directly referencing any build artifact files) then they'll need to update
(Optional) Follow Ups
PRs to follow will do this for many other SDKs