improve error message for npm-based formatters to emphasize local-only

[renannprado]

Hello dear maintainers,

I was setting up spotless in my project and while trying it out I started facing the below exception (which I already managed to fix).

I got a bit scared though, because it seems that it's trying to send my code to a remote server... is that correct?

I understand that you don't have control over all the plugins (i.e. I guess nothing would prevent prettier itself from doing this), but in this case here it seems that potential code leaking is coming from spotless itself.

If the answer to the above question is "yes", is it possible to optout of this altogether?

The below exception seems to be related to this class, but I can't make any conclusions just by looking at this class alone.

Thanks!

[nedtwigg]

Spotless never sends your code to a remote server, and none of our plugins do.

We did have a problem once where one our formatters was doing XML validation, and full-spec XML validation did some network requests to get a DTD to validate against, and we filed a CVE for that when we realized it:

• CVE-2019-9843: The XML parser isn't respecting resolveExternalEntities as false #358

Some Spotless formatters are based on npm packages. And the way we interface with them is to open a little webserver on localhost, and do localhost requests to send data from the JVM to the Node.js process. That's what you're seeing.

If we ever find a plugin sending code to any network service, it is a red alarm fire, and would get a CVE just like we did with XML DTD mentioned earlier.

[renannprado]

@nedtwigg thanks for the reply! Since it's not clear from the error message, is it possible to improve this error somehow so that it doesn't scare other people in the future?

[nedtwigg]

Good idea!