How to privatize dependencies in Swift Package Manager?

If I have an app with dependency on a module created in SPM, call it Network. Network module has dependency on Alamofire. When I'm in my app, I can still import Alamofire even though there is no direct dependency on it. How do I keep my Alamofire private such that it's only exposed to the Network module and not the main app?

3 Likes

This thread on implementation only imports might be interesting to you

That was the first thing I tried prior to posting this thread. It didn't work for me, I am on the latest version of Swift. To be precise, what I tried was adding the implementationOnly syntax in Network module for Alamofire like this (@_implementationOnly import Alamofire). Then I went to the main app, and was still able to import Alamofire there, did I miss something with my implementation?

Implementationā€only imports only prevent a dependency from being forwarded through the import statement.

// ModuleB
import CModuleA
// ModuleC
import ModuleB // Implicitly got ā€œimport CModuleAā€ too.
// ModuleD
@_implementationOnly import CModuleA
// ModuleE
import ModuleD // Hasnā€™t implicitly imported CModuleA.

At the moment, SwiftPM does nothing to enforce that import statements are also mentioned in the manifest. All dependenciesā€”both direct and transitiveā€”end up in the import and linker search paths, so there is currently nothing you can do about it. Adding such enforcement would be nonā€trivial, since many imports originate from outside the package anyway, such as import Foundation.

3 Likes

Thanks @SDGGiesbrecht . I appreciate the confirmation. Hopefully SPM will evolve and include this much needed feature in the future.

1 Like

I donā€™t know of anyone who is happy with the status quo. I just also donā€™t know of anyone sufficiently annoyed with it to push it to the top of their toā€do list and actually do the work of designing the solution. At least so far.

2 Likes

Update (because readers clicking ā€œlikeā€ have pushed this thread back into the recent activity feed):

Pull request #3562ā€”which at the moment has passed tests but not yet been mergedā€”aims to throw a warning whenever such an indirect dependency is imported.

Terms of Service

Privacy Policy

Cookie Policy