From 9eb55edde79d096cdb30e5fee9d6a1f39df493ab Mon Sep 17 00:00:00 2001 From: Michael Muller Date: Thu, 23 Sep 2021 14:42:47 -0400 Subject: [PATCH] Add a presubmit to verify no new JS dependencies (#1334) * Add a presubmit to verify no new JS dependencies Verify that we have a known set of javascript dependencies. This guards against the inadvertent introduction of a new dependency with a disallowed license. TESTED: Added a new package to packages.json, observed presubmit failure. * Replaced f-strings, printed python version For some reason, it looks like we're using a python version older than 3.6 on our CI machines. * Remove python version trace. --- config/presubmits.py | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/config/presubmits.py b/config/presubmits.py index f401453e6..b54f5c325 100644 --- a/config/presubmits.py +++ b/config/presubmits.py @@ -17,9 +17,11 @@ These aren't built in to the static code analysis tools we use (e.g. Checkstyle, Error Prone) so we must write them manually. """ +import json import os from typing import List, Tuple import sys +import textwrap import re # We should never analyze any generated files @@ -28,6 +30,13 @@ UNIVERSALLY_SKIPPED_PATTERNS = {"/build/", "cloudbuild-caches", "/out/", ".git/" FORBIDDEN = 1 REQUIRED = 2 +# The list of expected json packages and their licenses. +# These should be one of the allowed licenses in: +# config/dependency-license/allowed_licenses.json +EXPECTED_JS_PACKAGES = [ + 'google-closure-library', # Owned by Google, Apache 2.0 +] + class PresubmitCheck: @@ -308,6 +317,26 @@ def verify_flyway_index(): return not success +def verify_javascript_deps(): + """Verifies that we haven't introduced any new javascript dependencies.""" + with open('package.json') as f: + package = json.load(f) + + deps = list(package['dependencies'].keys()) + if deps != EXPECTED_JS_PACKAGES: + print('Unexpected javascript dependencies. Was expecting ' + '%s, got %s.' % (EXPECTED_JS_PACKAGES, deps)) + print(textwrap.dedent(""" + * If the new dependencies are intentional, please verify that the + * license is one of the allowed licenses (see + * config/dependency-license/allowed_licenses.json) and add an entry + * for the package (with the license in a comment) to the + * EXPECTED_JS_PACKAGES variable in config/presubmits.py. + """)) + return True + return False + + def get_files(): for root, dirnames, filenames in os.walk("."): for filename in filenames: @@ -331,5 +360,8 @@ if __name__ == "__main__": # when we put it here it fails fast before all of the tests are run. failed |= verify_flyway_index() + # Make sure we haven't introduced any javascript dependencies. + failed |= verify_javascript_deps() + if failed: sys.exit(1)