Peer dependency on firebase-tools #3171
Replies: 1 comment 1 reply
-
|
Sorry about that, we should update the peer dependency to support 10 series as we are compatible.
The current advice however, is to not have firebase-tools as a devDependency, rather a globally installed library. As it's gotten far more strict with its own dependencies (pinning specific versions due to recent supply chain attacks) and has been growing in size (with the addition of the emulators and emulator UI). |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the explanation. Got it :) Hm. Can for sure install firebase-tools separately. I'm just a fan of having all deps listed in the package.json. Otherwise, it adds complexity to the CI pipeline and also might end up in different versions locally for each dev and in the CI env (can pin it when installing though). Will still follow your advice 👍 Thanks for taking the time. |
Beta Was this translation helpful? Give feedback.
-
Hey,
I see, @angular/fire has listed an optional peer dependency on firebase-tools. I would like to understand, why this is the case. For me, the packages serve completely different use cases. Of course, they might often be used together, but I would expect @angular/fire to perfectly work without the other.
The problem I see with this connection is, that we can not upgrade firebase-tools to the latest version without breaking the peer dependency relation. AFAIK, optional dependencies are ignored, when they are not present, but if the dependency exists in a different version than listed in the peer dependencies, then we get an error about a not fitting peer dependency.
Firebase-tools in version 9.9.0 (which is the one required by @angular/fire) brings some security issues, which should be resolved.
So finally, why do we have this peer dependency on firebase-tools at all?
by the way: thanks for this nice library :)
Beta Was this translation helpful? Give feedback.
All reactions