Package activation error for users, but the developer (me) doesn't see it


#1

A user is reporting that there is a 6to5 compile error being thrown due to a dependency of a dependency of a dependency of my atom package. (unsafe use of javascript eval in atom-supercollider -> supercolliderjs -> express -> depd)

I don’t experience this error because I used apm link /path/to/source

and I guess development packages are not run through 6to5 ? Or maybe not all the dependencies are.

Is the code run in place ?

I can apm unlink and then I am using the shipped release. I see the error.

I might have fixed the error, but I guess the only way to know for sure is to release it and then try it.
Or is there a better way ?

Atom 0.182.0


#2

To my understanding, dependencies aren’t run through 6to5/babel, no. It is expected that they are whatever dialect of JavaScript that Node/IO.js can run by itself … being npm modules, after all. Unfortunately, there isn’t a way to mimic the install process which may have extra checking for these things that is getting bypassed since I assume you’re using apm install to install the package dependencies of your linked package?

I think the best bet at this point is to release it and try installing it.


#3

It seems to be the CSP that is objecting to the unsafe eval. I guess “compile error” is incorrect.

Installing is the only way to find out. I did a mini-release but the offending package is still in there, so I will refactor today and work around it.

Unfortunately I had to wait until a user reported this. They don’t even get an error notification, they have to wonder why nothing is working and then open up the console.


#4

If you can file a bug on https://github.com/atom/atom/issues/new describing this in detail and how it can only be found through installation (which isn’t mimicked in the dev process), that would be a big help.


#5

thanks !