plugin-dependency-not-allowlisted
Cross-marketplace dependency requires allowCrossMarketplaceDependenciesOn
Error
Rule Details
Only the root marketplace allowlist is consulted - the marketplace hosting the plugin being installed - so trust does not chain through intermediate marketplaces. This rule can only fire when the marketplace manifest is present in the scanned tree; a plugin published from a separate repository cannot be checked here.
Incorrect
Dependency on another marketplace with no allowlist
json
{
"name": "acme-tools",
"owner": { "name": "Acme" },
"plugins": [
{
"name": "deploy-kit",
"source": "./deploy-kit",
"dependencies": [{ "name": "audit-logger", "marketplace": "acme-shared" }]
}
]
}Correct
Target marketplace listed in the allowlist
json
{
"name": "acme-tools",
"owner": { "name": "Acme" },
"allowCrossMarketplaceDependenciesOn": ["acme-shared"],
"plugins": [
{
"name": "deploy-kit",
"source": "./deploy-kit",
"dependencies": [{ "name": "audit-logger", "marketplace": "acme-shared" }]
}
]
}How To Fix
Add the target marketplace name to allowCrossMarketplaceDependenciesOn in marketplace.json.
Options
This rule does not have any configuration options.
Related Rules
Resources
Version
Available since: v0.6.0