How to privatize dependencies in Swift Package Manager?

Using Swift
1

If I have an app with dependency on a module created in SPM, call it Network. Network module has dependency on Alamofire. When I'm in my app, I can still import Alamofire even though there is no direct dependency on it. How do I keep my Alamofire private such that it's only exposed to the Network module and not the main app?

10 Likes
2

This thread on implementation only imports might be interesting to you

1 Like
3

That was the first thing I tried prior to posting this thread. It didn't work for me, I am on the latest version of Swift. To be precise, what I tried was adding the implementationOnly syntax in Network module for Alamofire like this (@_implementationOnly import Alamofire). Then I went to the main app, and was still able to import Alamofire there, did I miss something with my implementation?

1 Like
4

Implementationā€only imports only prevent a dependency from being forwarded through the import statement.

// ModuleB
import CModuleA

// ModuleC
import ModuleB // Implicitly got ā€œimport CModuleAā€ too.

// ModuleD
@_implementationOnly import CModuleA

// ModuleE
import ModuleD // Hasnā€™t implicitly imported CModuleA.

At the moment, SwiftPM does nothing to enforce that import statements are also mentioned in the manifest. All dependenciesā€”both direct and transitiveā€”end up in the import and linker search paths, so there is currently nothing you can do about it. Adding such enforcement would be nonā€trivial, since many imports originate from outside the package anyway, such as import Foundation.

5 Likes
5

Thanks @SDGGiesbrecht . I appreciate the confirmation. Hopefully SPM will evolve and include this much needed feature in the future.

1 Like
6

I donā€™t know of anyone who is happy with the status quo. I just also donā€™t know of anyone sufficiently annoyed with it to push it to the top of their toā€do list and actually do the work of designing the solution. At least so far.

4 Likes
7

Update (because readers clicking ā€œlikeā€ have pushed this thread back into the recent activity feed):

Pull request #3562ā€”which at the moment has passed tests but not yet been mergedā€”aims to throw a warning whenever such an indirect dependency is imported.

3 Likes