cross posting for better visibility microsoft/fluentui#26147

Projects which use Yarn version 2 are facing caching issue with lage because there is a logical dependency of parsing yarn lock file in workspace-tools. current workspace-tools can only parse lock files of yarn version 1, it breaks for yarn version 2 lock files.

#microsoft/lage#129

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (github>microsoft/m365-renovate-config:autoUpdateTypes)

$ react-native rnx-bundle --dev false
info Bundling macos...
Welcome to Metro!
Fast - Scalable - Integrated

Failed to construct transformer: Error: Cannot find module 'fast-glob'
Require stack:

• C:\Users\avipie\Repos\1JS\src\ooui.store\[email protected]\node_modules\workspace-tools\lib\getPackagePaths.js
• C:\Users\avipie\Repos\1JS\src\ooui.store\[email protected]\node_modules\workspace-tools\lib\workspaces\implementations\pnpm.js
• C:\Users\avipie\Repos\1JS\src\ooui.store\[email protected]\node_modules\workspace-tools\lib\index.js

To reduce the number of dependencies (and possible vulnerabilities) pulled in by other tools/packages that use workspace-tools, we'd like to split the package into more granular parts.

Possible parts include:

• workspace-tools-git: git utilities (#179)
• workspace-tools-paths: path utilities (#179)
• workspace-tools-types: shared types such as PackageInfo
• workspace-tools-graph: package dependency graph
• others TBD: lock file parsing, getting workspace info, ?

When searchUp is passed a relative path or a path that doesn't start with /, e.g. the/path/to/a/start/point and the filePath is not found an infinite loop results.

Why

13  const root = path.parse(cwd).root;

root is set to "" and in

23 cwd = path.dirname(cwd)

at the last point of the path cwd is set to "."

"." never equals "" and the loop doesn't exit

Possible solution

• Add a leading / to cwds passed in without it just for the loop's case

No link to github here:
https://www.npmjs.com/package/workspace-tools

I'm using lage and trying to use the ignore field in the configuration.

Anyways, the error I'm seeing is the parser for git.getUntrackedChanges() is not working as expected.

In my repo, I modify 2 files (that are tracked already) and end up with [ 'README.md\n M lage.config.js' ] here.

Expected: []
Got: [ 'README.md\n M lage.config.js' ]

So it ends up causing lage to think every package has changed and it builds everything in the repo when I modify the README.md file at the root.

Some details:

node: 14.17.4
workspace-tools: 0.18.2
git: 2.35.1
OSX: 12.2.1

daniel.fritz ~/Dev/splat (master !$)
% git status --short
 M README.md
 M lage.config.js

daniel.fritz ~/Dev/splat (master !$)
% git status
On branch master
Your branch is up to date with 'origin/master'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   README.md
        modified:   lage.config.js

no changes added to commit (use "git add" and/or "git commit -a")

daniel.fritz ~/Dev/splat (master !$)
%

Do you guys write comments?

https://github.com/microsoft/workspace-tools/blob/1865434/packages/workspace-tools/src/getPackageInfos.ts

It's cool that there's a docs site but when the docs don't say anything useful, it's kind of a bummer.

https://microsoft.github.io/workspace-tools/functions/getPackageInfos.html

Currently, the bulk of the dependencies come from the various lock file api's. They amount to nothing but two kinds of things:

1. finding the right lock file with a find-up style convention
2. parsing yaml
3. stuffing the info obtained into a in-memory collection

I believe we can achieve these with much fewer dependencies so this library isn't so heavy

It seems that the function createDependencyMap is not exported properly. I tried to use it in teams-modular-packages and I had to add an export statement for it locally. How can this be solved?

git fetch has an extra parameter you could potentially use that executes arbitrary commands: --upload-pack. The issue is here:

and

Fix is to add a -- in the arg list like this: fetch -- remote remotebranch. This may not be a big deal, but it has come up as a security issue with other git wrapper libs.

Overview

workspace-tools had been used by some of the key monorepo scripts & tools that manage some of the large Microsoft JS projects. This library really came from merging tooling from these repos: backfill, beachball, just-scripts, and lage.

Problems of v0.x

The library has these characteristics & problems:

• the library is a LOOSELY defined set of functions surrounding getting workspace information and related git operations
• the additions to the library are mainly static functions, not classes
• some functions attempt to do caching but without standard ways to invalidate cache
• ALL functions are synchronous 👎🏼
• packageInfos and workspaces are loosely used between different functions as the "state" to be passed between functions - these are not used consistently

Proposal

Goals

1. API surface should be designed ahead of time before implementation
2. No external dependencies (lockfiles implementation, etc. should be implemented JUST enough to gather the information needed)
3. Prefer library calls over spawning processes
4. Asynchronous and Synchronous API surface
5. Leverage NAPI if it makes the operation fast
6. Split repo into monorepo to clearly delineate different aspects of workspace-tools - e.g. git, lockfile, filtering (#229)

When trying to use beachball to generate a change file, I saw that the call to fetch changes from the upstream repo was failing in the call to the fetchRemoteBranch in workspace-tools:

Checking for changes against "origin/main"
fetching latest from remotes "origin/main"
beachball v2.16.0 - the sunniest version bumping tool
An error has been detected while running beachball!
Error: Cannot fetch remote: origin main
    at Object.fetchRemoteBranch (C:\code\react-native-windows\node_modules\beachball\node_modules\workspace-tools\lib\git.js:109:15)

However, removing the passphrase from the SSH key I used to authenticate to the origin remote repo fixes the command. It seems the the fetchRemoteBranch command fails when the git CLI prompts for the key passphrase.

I have a yarn 2 monorepo with two packages, spe and editor; editor depends on spe:

$ yarn workspaces list --verbose --json
{"location":".","name":null,"workspaceDependencies":[],"mismatchedWorkspaceDependencies":[]}
{"location":"packages/editor","name":"spline-app","workspaceDependencies":["packages/spe"],"mismatchedWorkspaceDependencies":[]}
{"location":"packages/spe","name":"spe","workspaceDependencies":[],"mismatchedWorkspaceDependencies":[]}

I added a "hello" script to each package that just prints which package we are in:

packages/editor/package.json:

{...
        "name": "editor",
	"private": true,
	"scripts": {
		"hello": "echo hello from editor",
...
	},
	"dependencies": {
		"spe": "workspace:*",
...
	},
}

packages/spe/package.json:

{
	"name": "spe",
	"version": "0.3.0",
	"scripts": {
		"hello": "echo hello from spe",
...
	},
}

Running yarn workspaces foreach -t run hello I would expect both scripts to run, spe first. Instead This is the result:

yarn workspaces foreach -t run hello
➤ YN0000: hello from spe

the -A flag does not change anything about this. With -R no scripts are run at all. Only with -ip and -p do both packages run, but they run concurrently and so this is useless for the case of building packages.

What is going on here?

consumers should handle the failure gracefully

Running on a small repository I get the error

Error: Cannot find module 'fs-extra'

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

• Update devDependency typescript to ~5.4.0
• Update actions/checkout action to v4
• Update actions/setup-node action to v4
• Update dependency commander to v12
• Update dependency git-url-parse to v14
• 🔐 Create all pending approval PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Lock file maintenance

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository