Skip to content
This repository has been archived by the owner on Oct 1, 2020. It is now read-only.

Implement loading of local flow-bin #37

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

halbgut
Copy link

@halbgut halbgut commented Sep 16, 2016

Fixes #24. This PR implements a check for a local version of flow-bin and uses that instead of the global one when found.

More specifically, it plimbs up the directory tree from the current working directory, checking there's a node_modules directory. If one is found it checks if [...]/node_modules/.bin/flow is a readable file. If that's the case, it sets g:flow#flowpath to that path. Otherwise it will still be set to flow.

@ghost
Copy link

ghost commented Sep 16, 2016

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please sign up at https://code.facebook.com/cla - and if you have received this in error or have any questions, please drop us a line at [email protected]. Thanks!

@ghost ghost added the CLA Signed label Sep 16, 2016
@ghost
Copy link

ghost commented Sep 17, 2016

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks!

@andreypopp
Copy link

This is useful, could this be merged?

@mroch
Copy link
Contributor

mroch commented Oct 17, 2016

probably a minor concern, but this could be a security risk. if you clone a malicious repo or a malicious npm package installs a binary called flow, you could end up running a binary that isn't Flow.

I think it's useful though. could this be turned on by a setting, so users have to opt into it?

@samwgoldman
Copy link
Member

One could use finddir and filereadable as is done here in their own vim configuration, no? Maybe we should include this as an example in the README with a clear warning about the security risk?

@halbgut
Copy link
Author

halbgut commented Oct 25, 2016

malicious npm package installs a binary called flow

There are far better attack vectors for malicious NPM package. Most systems (including my own) could be owned using a preinstall script without the user (or me :D) even noticing. This means an installed package can already execute code as the user in a far more efficient manner. So in my opinion there is no security gain from not loading node_modules/.bin/flow by default.

One could use finddir and filereadable as is done here in their own vim configuration, no?

The solution in this PR does have one big advantage. Installing Flow (project-) locally is best practice (for good reasons). This plugin as it stands encourages users to install it globally, which in most cases is the wrong choice.

I think it's useful though. could this be turned on by a setting, so users have to opt into it?

I think creating a setting sounds like a good idea. But in my opinion it should be opt out.

Edit:
P.S. Sorry for the late answer, I was quite badly under the weather for the last few days.

@tugorez
Copy link

tugorez commented May 21, 2017

Will this be merged?

@tugorez
Copy link

tugorez commented May 21, 2017

@Kriegslustig I've tried your solution and is not working.

I'm using Bundle, and vim 7.4.576 on Debian.

I'm not a vim expert (neither as user nor developer) but if found replacing

let s:npm_local_flowpath = finddir("node_modules", ".;") . "/.bin/flow"

with

let s:npm_local_flowpath = "./node_modules/.bin/flow"

gets the job done

If there is something I could help with, please tell me.

@halbgut
Copy link
Author

halbgut commented May 21, 2017

@tugorez The issue with that solution is, that it will only work, if you're opening vim from from the project's root directory.

Could you run this command in vim and post the output here?

:echo finddir("node_modules", ".;") . "/.bin/flow"

Edit:
Please also check if :pwd gives you a directory that is either inside a project using flow or is the root directory of a project using flow.

@tugorez
Copy link

tugorez commented May 21, 2017

Oh I get it
Yes, for sure. It outputs

/.bin/flow 

Thank you @Kriegslustig.

@halbgut
Copy link
Author

halbgut commented May 21, 2017

And running :!ls | grep node_modules in vim gives you node_modules?

@tugorez
Copy link

tugorez commented May 21, 2017

@Kriegslustig I see your point and you're right.
It was my problem because I ran the command in a non-dependencies-installed project, sorry.

@TrySound
Copy link

TrySound commented Aug 8, 2017

@acornejo
Copy link

Is there something needed for this to be merged?

@loyd
Copy link

loyd commented Feb 17, 2018

What is the problem w/ this PR? Let's merge.

plugin/flow.vim Outdated
@@ -24,7 +24,13 @@ if !exists("g:flow#qfsize")
let g:flow#qfsize = 1
endif
if !exists("g:flow#flowpath")
let g:flow#flowpath = "flow"
" Search for a local version of flow
let s:npm_local_flowpath = finddir("node_modules", ".;") . "/.bin/flow"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, we need to detect flowpath for every .js file, not only at startup.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah good point. Though it'll hurt performance. I implemented it as you suggested.

@loyd
Copy link

loyd commented Feb 18, 2018

Good job, thanks!

@fleischie
Copy link

fleischie commented Jun 17, 2018

@Kriegslustig I understand, that this PR is ancient time-wise. But could you shortly elaborate on why the function is named "SaveGetFlowExecutable?"

Is it, because it tries to find one in a specific manner and if it cannot find one, it returns with a warning? Shouldn't it then be "SafeGetFlowExecutable?" Also wouldn't make "s:local_flowpath" more sense, then "s:npm_local_flowpath," as the package manager has nothing to do with the path itself?

I am not trying to diss your PR, I am trying to understand it, because I'd like to merge it into my own personal fork.

Edit: I have some further amendmends if you're interested. If not, just let me know, then I'll take of it myself. 😄 ✌️

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants