Hi, Am Samstag, den 20.11.2021, 12:04 -0500 schrieb Philip McGrath: > To the best of my understanding, npm doesn't inspect the js files at > all by default, so no. (A package.json file might define a build > script that does more checks.) I think a missing and undeclared > dependency manifests itself as a runtime error when the require() > function is evaluated. Sheesh. > > In the resolve-dependencies subprocedure, we could check whether we > > have a matching input somewhere and only include the dependency if > > we do. WDYT? > > I thought about this, but it seems to me there are two problems. > First, I'm very unsure about this, but, in the last few days, I've > gotten the impression there may be some "package.json" packages that > don't correspond directly to Guix packages. I don't really understand > how that works, but I think it may have something to do with npm > packages that can run either on Node.js or on the web and need to use > some functionality that's part of the Node.js core but not the web > platform (or vice versa?). I could be wrong about that, but I've > tried, especially in v2, to only have the build-side code do things > I'm confident are correct in all cases. What does "not directly correspond to Guix packages" mean here? At the very least Node must have a way of finding them, probably somewhere in lib/, no? While I did say we may want to rewrite these dependencies in ‘configure’, perhaps we can find a middle ground in which we only do so when a given argument is there. ant-build-system does that for instance, so as to cope with packages that actually have no ant build spec. WDYT? > The other issue is that deleting packages with no matching input by > default would replicate some of the drawbacks of the current > `(delete 'configure)` approach. I think it's better to have an > explicit list of dependencies that Guix is deleting. If eventually we > package all of the missing dependencies for Guix, it would be much > easier to find the packages that ought to use it. And, in the highly > dynamic JavaScript world, I'm reluctant to give up one of the few > static checks we have. If a missing package that really was required > were automatically deleted from "package.json", it seems the failure > mode would by a mysterious runtime error, potentially many steps down > a dependency chain. I get where you're coming from, but OTOH if you were to change parts of the package to suit your own needs – like adding or omitting some inputs, you now have two places to change, and they're in a tricky relationship with another. I think this is setting up some very error- prone boilerplate. I hope that in most cases the test suite will cover the important use cases, but that's not always possible (e.g. with flaky tests, networking, missing test inputs...) Furthermore, for better or for worse, stack traces did become the gold standard of debugging long ago, so even packages missing "deep down" would probably soon be dug out if they lead to hard errors. Soft errors in Javascript though...