Wally is a modern package manager for Roblox projects inspired by Cargo

Uplift Games

Last update: Jan 3, 2023

Related tags

Miscellaneous wally

Overview

Wally, a package manager for Roblox

Installation
Commands
Prior Art
Manifest Format
Lockfile Format
Registries
License

About

Wally is a package manager for Roblox inspired by Cargo (Rust) and npm (JavaScript). It brings the familiar, community-oriented world of sharing code from other communities into the Roblox ecosystem.

Wally has two pieces that work together: a command line tool named wally and a registry server that hosts packages. Most users will only interact with the command line tool, but both are available in this repository.

Installation

From GitHub

Pre-built binaries are available for Windows, macOS, and Linux from the GitHub Releases Page for Wally.

With Foreman

Foreman is a toolchain manager developed for the Roblox community. You can use it to install Wally:

wally = { source = "UpliftGames/wally", version = "0.1.0" }

From Source

It's straightforward to compile Wally from source. Wally requires Rust 1.51.0 or newer.

Clone the repository and use:

cargo install --locked --path .

Commands

`wally init`

Create a new, empty package.

Parity with:

cargo init
npm init

`wally install [--locked]`

Installs all packages.

--locked matches cargo XXX --locked, which will error if there is not an up-to-date lockfile. Intended for use on CI machines.

Parity with:

npm install with no arguments

`wally update [package-names]` (unimplemented)

Update packages recursively. By default, will update all packages. If any package names are given (in the form scope/name or scope/name@version-req), just those packages will be updated instead.

Parity with:

cargo publish
npm update (npm 7+, equivalent to --depth 9999 in npm 6.x and older)

`wally publish`

Publish the current package.

Parity with:

cargo publish
npm publish

`wally login`

Log into an account to publish packages to a registry.

Partiy with:

cargo login
npm login

`wally logout`

Log out of a registry account.

Parity with:

cargo logout
npm logout

`wally package --output`

Package the current project as a zip file suitable for uploading to the package registry. Useful for adding entries to the registry and debugging what ends up in the blob that will be uploaded.

Parity with:

cargo package

`wally manifest-to-json`

Prints the current project's manifest as a line of JSON. Used for adding entries to the package index.

Parity with:

cargo read-manifest

Prior Art

Wally aims to stand on the shoulders of giants. Decisions we make are in part backed up by looking at other package managers and other public documentation:

So you want to write a package manager
crates.io and Cargo from the Rust ecosystem
npm from the JavaScript ecosystem
PyPI, pip, pipenv, and Poetry from Python

Manifest Format

The package manifest file describes a package and all of the packages it depends on. Package manifests are written in TOML and stored in a file named wally.toml.

Manifest files are written by humans. They can contain comments and formatting decisions that are tough to preserve with automatic editing tools. This should be okay -- editing a package manifest should be easy.

Manifest files define all necessary information about a package.

Here is an example package manifest, annotated with comments:

"] # Packages belong to a "realm", which helps prevent using code in the wrong # context. For now, we have "server" and "shared" realms. realm = "shared" # Wally supports multiple registries. # This feature can be used to have split public/private registries to # keep internal code private and isolated. registry = "https://github.com/upliftgames/wally-index" [dependencies] # Most dependencies will look like this. # # The name on the left is an alias. It defines what name we would like to # use to refer to this package. # # The value on the right will usually be a string of the form # "SCOPE/NAME@VERSION_REQ" # Versions are SemVer version requirements. The default behavior matches # Cargo, or npm with the `^` version specifier. Roact = "roblox/[email protected]" Promise = "evaera/[email protected]" # In the future, it'll be possible to pull dependencies from Git. # # This shouldn't be used for most dependencies. It's intended to be used for # testing changes from PRs or other experimental branches. CoolThing = { git = "https://github.com/Roblox/cool-thing.git", branch = "pr-1231" } # Dependencies will optionally also contain a file path. This feature is # based on a similar feature in Cargo that is useful for having multiple # packages in the same repository, like the client and server halves of the # same codebase. MonoThing = { registry = "roblox/[email protected]", path = "../MonoThing" } # Any dependency that we use only for testing goes in a special section. # # These dependencies will not be shipped with the production version of a # project. [dev-dependencies] TestEZ = "roblox/[email protected]" ">

[package]
# Package names are always "SCOPE/NAME"
# They can inclde lowercase letters, numbers, and dashes.
name = "lpghatguy/asink"

# Descriptions are free-form. These will be used as part of package listings
# and search results.
description = "Asynchronous programming primitives"

# Versions follow Semantic Versioning.
# https://semver.org/
version = "2.0.7"

# Contains an SPDX License Expression.
# Licenses are required for publishing code to public registries.
license = "MIT OR Apache-2.0"

# The author list is a free-form list, but conventionally contains names and
# email addresses.
authors = ["Lucien Greathouse "]

# Packages belong to a "realm", which helps prevent using code in the wrong
# context. For now, we have "server" and "shared" realms.
realm = "shared"

# Wally supports multiple registries.
# This feature can be used to have split public/private registries to
# keep internal code private and isolated.
registry = "https://github.com/upliftgames/wally-index"

[dependencies]
# Most dependencies will look like this.
#
# The name on the left is an alias. It defines what name we would like to
# use to refer to this package.
#
# The value on the right will usually be a string of the form
#   "SCOPE/NAME@VERSION_REQ"
# Versions are SemVer version requirements. The default behavior matches
# Cargo, or npm with the `^` version specifier.
Roact = "roblox/[email protected]"
Promise = "evaera/[email protected]"

# In the future, it'll be possible to pull dependencies from Git.
#
# This shouldn't be used for most dependencies. It's intended to be used for
# testing changes from PRs or other experimental branches.
CoolThing = { git = "https://github.com/Roblox/cool-thing.git", branch = "pr-1231" }

# Dependencies will optionally also contain a file path. This feature is
# based on a similar feature in Cargo that is useful for having multiple
# packages in the same repository, like the client and server halves of the
# same codebase.
MonoThing = { registry = "roblox/[email protected]", path = "../MonoThing" }

# Any dependency that we use only for testing goes in a special section.
#
# These dependencies will not be shipped with the production version of a
# project.
[dev-dependencies]
TestEZ = "roblox/[email protected]"

Lockfile Format

The lockfile contains the exact versions of each dependency that a project depends on. They're a critical feature that ensures that everyone who works on a game is getting the exact same version of every package.

Lockfiles are written in TOML and stored in a file named wally.lock. They're are human readable, but are only written by tools. We've optimized the lockfile format for reading as well as diffing so that they're as easy to review as possible.

[[package]]
name = "registry:lpghatguy/asink"
version = "2.0.7"
dependencies = [
 "registry:roblox/roact",
 "registry:evaera/roblox-lua-promise",
 "registry:roblox/mono-thing",
 "git:https://github.com/Roblox/cool-thing.git",
]

[[package]]
name = "registry:evaera/roblox-lua-promise"
version = "2.1.0"
checksum = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

[[package]]
name = "registry:roblox/mono-thing"
version = "1.3.2"
checksum = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

[[package]]
name = "git:https://github.com/Roblox/cool-thing.git"
rev = "foo"
commit = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

Registries

Like many programming language package managers, Wally packages are published to a registry.

A Wally registry consists of two pieces, inspired by Cargo and crates.io:

A Git repository containing a package index
A registry API that handles downloading and publishing package contents

We do not currently host an official Wally registry. This will be coming eventually!

Registry API

Authentication is currently done with simple tokens. This isn't feasible for hosting a publicly-writable registry.

GET /v1/package-contents///
- Returns the contents of a package for installation
- Package contents are ZIP files
POST /api/v1/publish
- Client will post a package tarball that is extracted and published from the server.

License

Wally is available under the terms of the Mozilla Public License Version 2.0. Terms and conditions are available in LICENSE.txt or at https://www.mozilla.org/en-US/MPL/2.0/.

Comments

Wally produces flat file structure

For rodux and roact-rodux wally produces a flat file structure with backslashes in the names rather than the hierarchy it means to create. It creates the file structure normally for roact.

Happens with the linux release binary and when building from source on linux with v0.1.1.

bug

opened by LastTalon 5
No support for usage of multiple registries

We should support the ability to use multiple registries at the same time. Currently, if you wish to host your own private registry but depend on packages in another registry (ie the public one), you can't.

I believe we should implement this by adding a "fallback" registry index url to the index config.json. If the registry we are searching doesn't contain a package, we can look at the fallback for it. We should include a mechanism to recognise if a circular chain of registries has occurred.

We need to be careful we don't leak package names by requesting private packages from a public registry. We have all the information we need to prevent that in indexs already though. This may also impact our lock file format. I think we should include exactly which registry a package was sourced from. In the event a registry no longer contains a package we shouldn't silently swap to another registry. They may be hosting a differing version, even though it is labelled as the same version. To explicitly swap would be simple as you can just remove the entry from the lock file.
enhancement

opened by magnalite 4
Rename rojo project during upload when wally package name doesn't match
At the moment it is possible to publish a package which has a name differing from a name given in a Rojo default.project.json. This means Rojo will rename the package later on causing problems with linking. This PR aims to mitigate this by preventing users publishing packages with mismatched names and prompting them to rename.

It does so by checking if a default.project.json file exists in the project during publishing, and if it does, asserts the project name matches the package name given in the wally.toml.

This PR also adds:

A test to verify publishing will stop when names are mismatched (and users are given an appropriate error).

Another test to verify users are given an appropriate error when the names are fine (instead of a mismatched error).

An extra global argument to allow tests to specify a temporary package index should be used. This caused problems when multiple publish tests were being run.

The publish command now also accepts global arguments.

Renames the wally-test-index url in the test packages to the new one (instead of the old archived one which 404s).
opened by magnalite 4
Failure to compile Wally from source

Wally cloned into /home/[username]/wally Ran cargo install --locked --path wally on /home/[username]/

It did not work and returned a failed to load source for dependency "rocket" error.

System: Manjaro (Arch ARM64)

Also, if possible I would like to run the wally executable provided along with the linux.zip file, but it doesn't seem to function well.

opened by GnomeDevs 3

Scope Issues

Updating wally to 0.3.0, I'm running into the following error when running cargo install --locked --path C:\somePath

Seems to be an issue with the termion crate.

C:\somePath\someOtherPath\ROBLOX\wally_source\wally-0.3.0>cargo install --locked --path C:\somePath\someOtherPath\ROBLOX\wally_source\wally-0.3.0
  Installing wally v0.3.0 (C:\somePath\someOtherPath\ROBLOX\wally_source\wally-0.3.0)
    Updating crates.io index
   Compiling termion v1.5.6
   Compiling atomic v0.5.0
   Compiling measure_time v0.7.0
   Compiling libz-sys v1.1.2
   Compiling bzip2-sys v0.1.10+1.0.8
   Compiling blake3 v0.3.7
error[E0433]: failed to resolve: maybe a missing crate `sys`?
  --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\lib.rs:24:9
   |
24 | pub use sys::size::terminal_size;
   |         ^^^ maybe a missing crate `sys`?

error[E0433]: failed to resolve: maybe a missing crate `sys`?
  --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\lib.rs:27:9
   |
27 | pub use sys::tty::{is_tty, get_tty};
   |         ^^^ maybe a missing crate `sys`?

error[E0433]: failed to resolve: maybe a missing crate `sys`?
 --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\async.rs:5:5
  |
5 | use sys::tty::get_tty;
  |     ^^^ maybe a missing crate `sys`?

error[E0433]: failed to resolve: maybe a missing crate `sys`?
  --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\raw.rs:28:5
   |
28 | use sys::attr::{get_terminal_attr, raw_terminal_attr, set_terminal_attr};
   |     ^^^ maybe a missing crate `sys`?

error[E0432]: unresolved import `sys`
  --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\raw.rs:29:5
   |
29 | use sys::Termios;
   |     ^^^ maybe a missing crate `sys`?

error[E0425]: cannot find function `get_tty` in this scope
  --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\async.rs:14:36
   |
14 |     thread::spawn(move || for i in get_tty().unwrap().bytes() {
   |                                    ^^^^^^^ not found in this scope

error[E0425]: cannot find function `get_tty` in this scope
  --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\async.rs:43:36
   |
43 |     thread::spawn(move || for i in get_tty().unwrap().bytes() {
   |                                    ^^^^^^^ not found in this scope

error[E0425]: cannot find function `set_terminal_attr` in this scope
  --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\raw.rs:45:9
   |
45 |         set_terminal_attr(&self.prev_ios).unwrap();
   |         ^^^^^^^^^^^^^^^^^ not found in this scope

error[E0425]: cannot find function `get_terminal_attr` in this scope
   --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\raw.rs:102:23
    |
102 |         let mut ios = get_terminal_attr()?;
    |                       ^^^^^^^^^^^^^^^^^ not found in this scope

error[E0425]: cannot find function `raw_terminal_attr` in this scope
   --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\raw.rs:105:9
    |
105 |         raw_terminal_attr(&mut ios);
    |         ^^^^^^^^^^^^^^^^^ not found in this scope

error[E0425]: cannot find function `set_terminal_attr` in this scope
   --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\raw.rs:107:9
    |
107 |         set_terminal_attr(&ios)?;
    |         ^^^^^^^^^^^^^^^^^ not found in this scope

error[E0425]: cannot find function `set_terminal_attr` in this scope
   --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\raw.rs:119:9
    |
119 |         set_terminal_attr(&self.prev_ios)?;
    |         ^^^^^^^^^^^^^^^^^ not found in this scope

error[E0425]: cannot find function `get_terminal_attr` in this scope
   --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\raw.rs:125:23
    |
125 |         let mut ios = get_terminal_attr()?;
    |                       ^^^^^^^^^^^^^^^^^ not found in this scope

error[E0425]: cannot find function `raw_terminal_attr` in this scope
   --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\raw.rs:126:9
    |
126 |         raw_terminal_attr(&mut ios);
    |         ^^^^^^^^^^^^^^^^^ not found in this scope

error[E0425]: cannot find function `set_terminal_attr` in this scope
   --> C:\somePath\.cargo\registry\src\github.com-1ecc6299db9ec823\termion-1.5.6\src\raw.rs:127:9
    |
127 |         set_terminal_attr(&ios)?;
    |         ^^^^^^^^^^^^^^^^^ not found in this scope

   Compiling futures-channel v0.3.17
Some errors have detailed explanations: E0425, E0432, E0433.
For more information about an error, try `rustc --explain E0425`.
error: could not compile `termion` due to 15 previous errors
warning: build failed, waiting for other jobs to finish...
error: failed to compile `wally v0.3.0 (C:\somePath\someOtherPath\ROBLOX\wally_source\wally-0.3.0)`, intermediate artifacts can be found at `C:\somePath\someOtherPath\ROBLOX\wally_source\wally-0.3.0\target`

Caused by:
  build failed

C:\somePath\someOtherPath\ROBLOX\wally_source\wally-0.3.0>

I have uninstalled wally0.2.1 via cargo uninstall. I am running Windows10

opened by JoelBrd 3

Wally doesn't escape quote path parameters, so users with spaces in their folder names error

Wally should escape quote the path parameter so that it is not problematic for the few (silly) users who have spaces in their usernames or folder paths.
bug

opened by unix-system 3
Security hotfix: Implement functionality to ban GitHub user IDs

Super quick hotfix for security vulnerability where users can take over org scopes if the corresponding GitHub org doesn't exist. Allows the banning of a malicious account on a case-by-case basis.

This implementation was discussed over Discord and is a temporary bandaid for a larger vulnerability that will take more time to fix.

I couldn't implement test cases without re-architecture because Wally's test setup doesn't support faking GitHub authentication. Ideally, you could mock HTTP requests to GitHub's API via a mock HTTP client, but this would take too much time to implement here.

opened by grilme99 2
Ability to add a @latest to the versioning at wally.toml

Currently when starting a new project and well adding new dependencies you usually don't want to constantly leave to look at what versioning the package is at on wally.run, with that I would love to be able to pass a @latest versioning which follows semver and multiple other package managers use to easily get the latest version of that package.

opened by imacodr 2
Add a way to unpublish published packages

Currently, there is no way to delete packages published to https://github.com/UpliftGames/wally-index. This is a problem as I can't delete packages which are accidentally published...

Something like wally unpublish would do.

opened by bubshayz 2
Update Roact to 1.4.4

The latest tagged Roact release is v1.4.4: https://github.com/Roblox/roact/releases/tag/v1.4.4

It would be great if somebody in charge of the index could get this version published. I need this version in particular so my Luau analysis can pass (In Roact < 1.4.4 there is a type error that cannot be suppressed by analysis)

opened by vocksel 1
Fix using packages with dev dependencies

This is a fix for #71. It stops wally install from resolving dev dependencies of nested packages, which I'm pretty sure is unintended behavior since it leads to a crash every time.

I have zero Rust experience so please be gentle. 😛

opened by ChipioIndustries 1
Overriding Dependencies

Wally should have a mechanism similar to Cargo, where you can override the dependencies of other crates. See: https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html

Much of the existing ecosystem around Roact is fully compatible with Roact17, but in order to use existing packages one must fork each package and change the dependency from Roact to RoactCompat. A mechanism for overriding dependencies simplifies this problem.

opened by grilme99 1
Improve browsing packages on the website

The wally website currently isn't very useful for finding packages. It currently only shows 6 (seemingly hard-coded?) recommended packages. Searching isn't useful for discovering packages because you have to already know the name of the package you're looking for search to be useful. The wally website should allow you to browse an list of all the packages, and search should just narrow down the list. This would vastly improve wally by making discoverability of packages easier.

opened by fewkz 0
How do you include packages for testing your project without including them in the release?

I saw that all my packages included with Wally were included in the published release so I thought adding them to [dev-dependencies] would fix it, I was wrong. How would I accomplish this?

opened by L3G5ND 0
Dev dependencies are not always linked correctly

If a dev dependency is shared with a regular dependency, it will only install in the Packages index.

This happens in cases such as if testez is a dev dependency and is also a dependency of one of your normal dependencies. The testez link will be generated pointing to an index that doesn't exist, when it should be pointing to the Packages folder index.

opened by LastTalon 0
wally not working on macOS

hello, i have a macOS and I am trying to get Knit to work. For some reason, according to foreman everything is installed in the foreman.toml file, however, when I run wally init my computer tells me that there is no such command. Do you know a fix? Sorry

opened by devtyp 3

Releases(v0.3.1)

v0.3.1(Nov 12, 2021)
Dev dependencies! 🚀

Changes since 0.3.0

Support for dev dependencies (#63)

Clarified upgrade response for outdated cli clients

Clarified feedback on failure to resolve package

Source code(tar.gz)
Source code(zip)
wally-0.3.1-linux.zip(5.42 MB)
wally-0.3.1-macos.zip(4.77 MB)
wally-0.3.1-win64.zip(3.76 MB)
v0.3.0(Nov 11, 2021)
One step closer 🎉

Changes since 0.2.1

Fixed Windows generating invalid zip archives. (#15)

Support for registry fallback chains (#35)

Generate cross realm package links (#38)

Support include/exclude lists in manifest (#44)

Backend API for package metadata and search (#46)

Arch users can now use vendored-libgit2 btw (#52)

Frontend can search packages and display package info (#55)

Minimum Wally version enforcement by registry (#57)

Source code(tar.gz)
Source code(zip)
wally-0.3.0-linux.zip(5.41 MB)
wally-0.3.0-macos.zip(4.76 MB)
wally-0.3.0-win64.zip(3.76 MB)
v0.2.1(Oct 1, 2021)
We now have a website! https://wally.run

Changes since 0.2.0

First iteration of wally frontend. (#32)

Source code(tar.gz)
Source code(zip)
wally-0.2.1-linux.zip(5.20 MB)
wally-0.2.1-macos.zip(4.63 MB)
wally-0.2.1-win64.zip(3.63 MB)
v0.2.0(Sep 29, 2021)
Public authentication is here!

Fixed package links between sibling packages. (#17)

Fixed invalid package names being generated from wally init. (#19)

Added public authentication strategy via GitHub. (#20)

Improved readability of package name errors. (#23)

Renames rojo projects when the name given in default.project.json doesn't match the name given in wally.toml. (#25)

More efficient use of reqwest. (#27)

Enforce a max length on package names. (#28)

Source code(tar.gz)
Source code(zip)
wally-0.2.0-linux.zip(5.20 MB)
wally-0.2.0-macos.zip(4.63 MB)
wally-0.2.0-win64.zip(3.63 MB)
v0.1.1(Aug 3, 2021)
Happy launch day! We already found some bugs, this release fixes one of them.

Changes Since 0.1.0

Fixed wally install failing due to a "file not found" error. (#11)

Source code(tar.gz)
Source code(zip)
wally-0.1.1-linux.zip(5.05 MB)
wally-0.1.1-macos.zip(4.53 MB)
wally-0.1.1-win64.zip(3.55 MB)
v0.1.0(Aug 3, 2021)

This is the first release of Wally, a new package manager for Roblox!

This release is an early alpha quality and may not work super well. Stay tuned for more development!
Source code(tar.gz)
Source code(zip)
wally-0.1.0-linux.zip(5.05 MB)
wally-0.1.0-macos.zip(4.54 MB)
wally-0.1.0-win64.zip(3.55 MB)

Owner

Uplift Games

Uplift Games is a remote-first game studio based in North America and the UK. We make Adopt Me, the fastest growing and most-played Roblox game of all time.

GitHub https://wally.run