Display non-pub dependencies

[jonasfj]

Flutter plugins can have non-pub dependencies through build.gradle and *.podspec files.

Maybe we could detect that and display such dependencies on pub.dev.

TODO:

• Detect dependencies and minimum Android SDK version from build.gradle,
• Detect dependencies and minimum iOS version from *podspec files,
• Decide how to present this information (side-bar maybe?)

[sigurdm]

https://stackoverflow.com/questions/57527328/parse-build-gradle-programmatically might be a way to handle the gradle files. But it would mean we have to go java...

[Sameerkash]

@jonasfj I'm trying to work on this, would parsing the file as String and find the next word after minSdk and dependencies be good? or should we implement some kind of custom parser to parse Gradle files?

[jonasfj]

@Sameerkash, hmm, if we can find some part of the android toolchain that can parse a .gradle file for us, and give us an output in xml/json or something that easy to read, that would perhaps be the most robust solution.
This could easily make us run user-code, so it would require sandboxing, etc, and it might be slow..

Perhaps just parsing the string with regexes is a good start. Or maybe use something like petitparser to create a tree-structure by just interpreting keywords, identifiers, strings, comments, parenthesis and brackets.. we might not have to understand the full gradle DSL grammar (or the groovy / kotlin stuff), but we might get a better heuristic if we're able to see that in: android { /*foo2*/ foo bar } baz the words foo and bar belongs to the android section, baz is unrelated and foo2 is really just a comment that can be ignored.

It should certainly be possible to parse it to the extent that we strip comments and understand strings. Imagine a gradle files like:

apply plugin: 'kotlin-android'

android {
    compileSdkVersion 28
    defaultConfig {
        // WARNING, this longer works: minSdkVersion 15
        minSdkVersion 16
    }
}

Just being able to see that minSdkVersion 15 is part of a comment, and not part of the source text might provide some value.

Note. you can get all package names from:

• https://pub.dev/api/package-names
• https://pub.dev/api/packages/<package>, will return the list of versions/pubspecs for a given package,
  • so it's easy to find packages that are plugins
  • It also includes a URL where the archive can be downloaded from..

So given a package name it's easy to fetch the gradle file, if there one, just do:

curl -sL https://pub.dartlang.org/packages/<package>/versions/<version>.tar.gz | tar zxO android/build.gradle

This will print to stdout, I'm guess since gradle files are small and most packages aren't plugins, it's actually feasible to download all gradle files from pub.dev to test against when developing this heuristic.. Might be worth doing a script that can download them all to a folder for easy testing.

---

The code for detecting this might be better off living in: https://github.com/dart-lang/pana

[Sameerkash]

did some digging and found this lib gradle-to-js can we use this through JS interop?

If not for this, petitparser would be the way as there is no other straightforward way to extract it without parsing the file.

cc @jonasfj

[jonasfj]

Using js interop is possible, but it'll probably be more work, and more work to maintain in the long run.. Deploying it will be harder to use..

I would suggest just porting it to dart using petitparser or maybe just straight up porting it to Dart :D

[jonasfj]

After all it's less than 700 lines of code... :D

ps. I'm on hackers-pub-dev- in https://github.com/flutter/flutter/wiki/Chat

[Sameerkash]

After all it's less than 700 lines of code... :D

ps. I'm on hackers-pub-dev- in https://github.com/flutter/flutter/wiki/Chat

Sure! I'll ping you there with updates.

[sigurdm]

if we are ever doing this, note that we should focus on SwiftPM instead of cocoapods, as flutter is slowly making that transition.