Comments (4)
We discussed this and I think arrived at two separate decisions:
-
Create a library that performs accurate transforms.
PnpmfileConfiguration.ts
should be split into two separate APIs: One half is the Rush-specific API whose purpose is only to generate the.pnpmfile.cjs
shim. The other half will be a common library whose purpose is to accurately transform a package.json file the way that PNPM would do. This involves loading.pnpmfile.cjs
(ideally into an isolated web worker that can be cleaned up easily), as well as applying other transforms such as"overrides"
that do not involve any script code, probably leveraging the@pnpm/hooks.read-package-hook
package that @chengcyber mentioned. -
Don't rely on transforms at all for
rush install
. Todayrush install
is transforming package.json because it is trying to compare project dependency versions against the lockfile to determine whether the lockfile is up-to-date. This was a good idea in the old days, but PNPM is now so complicated and so reliable that such logic has become difficult to support. A better model would be to focus purely on inputs: (1) collect all the inputs such as package.json, pnpm-config.json, .pnpmfile.cjs, etc. (2) normalize the file contents by removing irrelevant fields then sorting, (3) hash the result, and then (4) compare those hashes against hashes saved from the previous successfulrush update
. This avoids the need for semantic analysis of lockfiles, and so is a much simpler algorithm, and will be much more robust for behavioral changes across PNPM releases.
Thus, the proposed common library for accurate package.json transforms is really only needed by rush deploy
and the Lockfile Explorer app. In both cases, although we will aim for 100% accurate transforms of package.json, it is not a big deal if there are some minor mistakes. (Lockfile Explorer is just a viewer, and rush deploy
's analysis is technically a heuristic that can be fixed up using manual configurations.)
These two actions are separate work items that can be implemented in any order. #2 is probably the quickest fix for #4675.
from rushstack.
There's a TODO in the code just above where you linked to consider using globalOverrides
to modify the evaluation of workspace-local package.json
files to be an error:
rushstack/libraries/rush-lib/src/logic/pnpm/PnpmShrinkwrapFile.ts
Lines 1007 to 1009 in 0c41a82
The basis for this is that globalOverrides
is intended to be a mechanism for compensating for incorrect content in package.json
in external dependencies, so if the contents of a local package.json
are wrong, that package.json
should be directly modified.
Enforcing the installed version dependency in workspace packages is the domain of common/config/common-versions.json
and the ensureConsistentVersions
setting: https://rushjs.io/pages/maintainer/recommended_settings/#ensureconsistentversions
from rushstack.
I see... so this should throw an error I guess. At the moment, there's no "hint" of what went wrong and users will keep retrying to rush update
without avail
from rushstack.
Hi @kenrick95
but it seems like it is not handled when it is first implemented in the PR
You are right. The initial implementation doesn't cover the advanced syntax, as it was a quick fix for the urgent issues in our company's monorepo.
I just checked this requirement again to see whether I can quickly support it. However, It seems to me a little bit complicated to support the advance syntax. Technically, PnpmfileConfiguration#transform
needs to know the overrides configuration and mimic the pnpm's fashion to patch hooks.readPackage
function if overrides exist
Further, to make it 100% accurate, there are other configurations should be supported as well. Related pnpm code is
https://github.com/pnpm/pnpm/blob/aa33269f9f9fc0c3505ae1c59264d1706923a971/hooks/read-package-hook/src/createReadPackageHook.ts
from rushstack.
Related Issues (20)
- [rush] Design proposal: push notifications to users through CLI HOT 3
- [rush] `rush install --variant <variant-name>` doesn't work for the latest rush versions HOT 2
- [rush] Vulnerability for @azure/identity flagged by component governance HOT 1
- [api-extractor] config merge preserves longer array entries (`reportVariants` can't be reduced)
- [api-extractor] How to remove redundant new lines of trimmed variables?
- [rush] `rush add -p pkg@some_version --make-consistent` to update a installed old version pkg will update all projects not a subapce's projects HOT 3
- [api-documenter] Processing links inside of tables not working reliably in jekyll
- [rush] Update ci.yml to cache installed dependencies HOT 2
- [rush] `rush-pnpm store prune` returns exit code 1 since 5.126.0 HOT 2
- [api-extractor] feature request: add inferred `in` and `out` to generics in api report
- [rush] rush deploy fails with argon2 package missing in x86 docker build from ARM host HOT 1
- [api-extractor] Support Typescript 5.5 HOT 3
- [api-extractor] Re-exporting of module "namespaces" across package boundaries yields malformed type roll-ups HOT 1
- [rush] Rush add causes malformed package.json if the package.json does not have "dependencies" field yet and have >1 entries in "contributors" field
- [rush] Git branch lockfiles of pnpm cannot be used with rush HOT 2
- [rush] shrinkwrapIsUpToDate does not take globalOverrides into account HOT 2
- [rush] Running `rush rebuild` to run `rollup -c` causes a warning tip. HOT 2
- [rush] `rush add` adds latest version when repository already has a dependency on the package
- rush-pnpm patch-commit not generating patch file HOT 4
- [rush] cobuild errors are not properly propagated. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rushstack.