Parcel tries to install deps with yarn automagically #3603
Labels
Comments
|
You can disable it using |
|
@devongovett why has this issue been closed? If you disagree with my opinion that it shouldn't be default behaviour, I'd quite like to know why. I know (now) you can disable it, I specifically said that. But it shouldn't be there in the first place. |
|
Besides, either way, it still shouldn't have used yarn... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🐛 bug report
I'm trying out Parcel on a sample project, with dependencies installed via npm. I was really impressed to start with, thanks for developing the project.
When I add an unknown import, it tries to install the missing dep with yarn. It shouldn't be using yarn if there's a
package-lock.jsonavailable.There's a bigger problem here though: I was rather surprised to see it start installing things when I changed a file - I was actually in the middle of removing code that referenced the package, and Parcel decided to unhelpfully reinstall it for me, behaviour I didn't know existed.
FWIW I think Parcel has no business automatically installing packages. It is functionality way outside the reasonable scope of a bundler, with way too many edge cases and problems taking time away from the hundreds of other outstanding issues.
🎛 Configuration (.babelrc, package.json, cli command)
Command:
parcel serve src/index.html🤔 Expected Behavior
What I literally expected was that Parcel would bork if a dependency was missing.
That aside, it should notice my
package-lock.jsonand use NPM - but really the functionality should either not exist at all or be opt-in.I feel that at the very least, automatically downloading executable stuff off the internet and installing it into your project should come with a giant warning on page 1 of the docs.
A user could have the watch task running on a hidden console e.g. in an IDE, make a typo in an import and hit save, and not even be aware that their bundler has downloaded a random package and executed a post install script.
😯 Current Behavior
If a package is missing Parcel uses yarn to install it, regardless of what was used to install the other dependencies.
💁 Possible Solution
Remove the entire "feature": it's surprising, not remotely necessary, dangerous from a security perspective, and takes development time away from all the other issues.
@shawwn made some great points about it way back in 2017.
Note: I know there's an opt out, but it had already started installing unwanted packages before I knew that it was going to, which is a security problem.
🌍 Your Environment
The text was updated successfully, but these errors were encountered: