Atmosphere shows aldeed:collection2 as depending on insecure

stephan · July 6, 2015, 7:48pm

Hi,

I wanted to try collection2, which seems to be very popular. Something that worries me a little is that it’s depending on the insecure package, which allows mostly all collection-operations on the client (without restriction).

Isn’t this something to worry about? I searched this forum and the github issues, but it seems that this hasn’t come up yet (or at least I did not search well enough).

Regards,
Stephan

sashko · July 6, 2015, 8:59pm

If you look at the code here:

github.com

aldeed/meteor-collection2/blob/ec17d3e979a1dbb2fa63f363d8e18bdcf88c1e83/package.js#L21




api.use('aldeed:simple-schema@1.3.2');
api.imply('aldeed:simple-schema');


api.use('underscore@1.0.0');
api.use('check@1.0.0');
api.use('mongo@1.0.4');
api.imply('mongo');
api.use('ejson@1.0.0');


// Allow us to detect 'insecure'.
api.use('insecure@1.0.0', {weak: true});


api.addFiles(['collection2.js']);
});


Package.onTest(function(api) {


api.use('aldeed:collection2');
api.use('tinytest@1.0.0');
api.use('test-helpers@1.0.0');

It’s actually a weak dependency, so it doesn’t pull in the package.

Perhaps Atmosphere should detect this when listing dependencies. I would suggest filing an issue on Atmosphere: https://github.com/percolatestudio/atmosphere/issues

[Edited the title so that people who just read the title don’t get worried!]

stephan · July 7, 2015, 7:24pm

Hi @sashko

Thanks for pointing that out, that’s good to know and very soothing.

Yes, didn’t want to scare anyone, thanks.

Have a nice day!