Hi Benno, As I added the new JavaScript linter to support/mesos-style.py, let me provide some details regarding its implementation.
"Indeed, it turns out that the pre-commit hook is installing both a pip package and an npm package, eslint, along with all of its 1450 dependencies. (https://pastebin.com/hTZWRxcy)" We chose ESLint due to its flexible CLI and good documentation, it provides us an output going well with the two other linters we use for C++ and Python and a linting that we have adapted to work with our JS codebase. Concerning the metric you used: JSHint, which is the other JS linter allowing customization from the collection https://github.com/collections/clean-code-linters, has 972 dependencies (number obtained using npm-remote-ls); this is a smaller number but still in the same league. There is no equivalent to cpplint.py for JS, we had to use a Node.js package (in that case a npm package). Node.js packages require node, we install it from a new Python virtual environment created for the linters (the Mesos Python linter also requires some pip packages) using nodeenv (https://github.com/ekalinin/nodeenv). This was a simple solution to install eslint and it explains the chain of dependencies you described (pip package => npm package => JS dependencies). "My proposal would be to move most checks to post-reviews.py, which is a slow operation anyways and which actually marks the point in time where the commits should be cleaned up enough to pass all checks." I personally agree and this is feasible, please create a ticket regarding that request and assign it to me. Comments from other devs would be useful to know if this would be a positive change or not. One last point regarding the length of the installation of this new linter due to its dependencies: the two Python virtual environments we use in Apache Mesos (one for the CLI, one for the linters) are only being rebuilt when we update the pip requirements or update the virtual environment installation scripts ( https://github.com/apache/mesos/blob/ab9039335723fc36cb8e8b4fbb17a15327520cc9/support/mesos-style.py#L406). This is a not a common event as you can see from the history of the CLI pip-requirements.txt: https://github.com/apache/mesos/commits/master/src/python/cli_new/pip-requirements.txt and https://github.com/apache/mesos/commits/2d19111e4852aed25161e4549ff704f9d4c2f37b/src/cli_new/pip-requirements.txt . Best regards, 2017-11-10 16:28 GMT+01:00 Benno Evers <bev...@mesosphere.com>: > Hi guys, > > Our commit hooks in mesos have been traditionally quite strict (something > many people here will have experienced when "quickly" commiting some work > in progress before changing branches). However, when I rebased a branch > today I was surprised to learn that I had to wait more than 5 minutes while > something was downloaded from the internet. > > Indeed, it turns out that the pre-commit hook is installing both a pip > package and an npm package, eslint, along with all of its 1450 > dependencies. (https://pastebin.com/hTZWRxcy) > > Aside from the security implications (these are unsigned, and every single > one gets to execute custom javascript) I feel like there is something > fundamentally wrong here - a git commit is supposed to be a local > operation, it should not need internet access: > > bevers@poincare:~/mesos$ git commit -m "Dummy commit on cleaned > worktree." > Virtualenv not detected... building > Rebuilding virtualenv... > Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after > connection broken by > 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection. > VerifiedHTTPSConnection > object at 0x7fea82eb11d0>: Failed to establish a new connection: [Errno -2] > Name or service not known',)': /simple/pip/ > [...] > Retrying (Retry(total=0, connect=None, read=None, redirect=None)) after > connection broken by > 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection. > VerifiedHTTPSConnection > object at 0x7f2e627456d0>: Failed to establish a new connection: [Errno -2] > Name or service not known',)': /simple/nodeenv/ > Could not find a version that satisfies the requirement nodeenv==1.1.2 > (from -r /home/bevers/mesos/support/pip-requirements.txt (line 1)) (from > versions: ) > No matching distribution found for nodeenv==1.1.2 (from -r > /home/bevers/mesos/support/pip-requirements.txt (line 1)) > > > I'm sure running various linters improves code quality, but there must be a > better way to implement this. My proposal would be to move most checks to > post-reviews.py, which is a slow operation anyways and which actually marks > the point in time where the commits should be cleaned up enough to pass all > checks. > > What do you think? > > Best regards, > -- > Benno Evers > Software Engineer, Mesosphere > -- Armand Grillet Software Engineer, Mesosphere