Skip to content

fix: Improve shrinkwrap generation handling#1228

Open
d3xter666 wants to merge 20 commits intomainfrom
fix-shrinkwrap-generation
Open

fix: Improve shrinkwrap generation handling#1228
d3xter666 wants to merge 20 commits intomainfrom
fix-shrinkwrap-generation

Conversation

@d3xter666
Copy link
Member

@d3xter666 d3xter666 commented Dec 4, 2025
edited
Loading

Enhances: #1231

@d3xter666 d3xter666 requested a review from a team December 4, 2025 11:30
@coveralls
Copy link

coveralls commented Dec 4, 2025
edited
Loading

Coverage Status

coverage: 94.69% (+0.1%) from 94.552%
when pulling ce48200 on fix-shrinkwrap-generation
into d0976b0 on main.

matz3
matz3 reviewed Dec 4, 2025
View reviewed changes
@RandomByte
Copy link
Member

RandomByte commented Dec 4, 2025

To verify the shrinkwrap:

npm i
cd packages/cli
node ../../internal/shrinkwrap-extractor/cli.js ../../
rm -rf node_modules # Delete node_modules within CLI package

# <Manually remove devDependencies in package.json>

npm ci --workspaces false

Before Matthias' fix this yielded the following error:

npm error Missing: @npmcli/package-json@7.0.4 from lock file
npm error Missing: @npmcli/package-json@7.0.4 from lock file
npm error Missing: globby@15.0.0 from lock file
npm error Missing: proc-log@6.1.0 from lock file
npm error Missing: proc-log@6.1.0 from lock file
npm error Missing: proc-log@5.0.0 from lock file
npm error Missing: proc-log@5.0.0 from lock file
npm error Missing: unicorn-magic@0.3.0 from lock file

Those dependencies where missing from the shrinkwrap, likely because multiple workspace packages dependent on different versions, overwriting each other.

I'm currently verifying the state after Matthias' fix. I suspect there might still be a problem with dependencies hoisted to the workspace root for packages other than the CLI, conflicting with dependencies of the CLI.

@RandomByte
Copy link
Member

RandomByte commented Dec 4, 2025

I suspect there might still be a problem with dependencies hoisted to the workspace root for packages other than the CLI, conflicting with dependencies of the CLI.

I added a failing test for this case. I'll work on a fix

@d3xter666 d3xter666 force-pushed the fix-shrinkwrap-generation branch 2 times, most recently from 56e1877 to 47fde0f Compare December 5, 2025 19:33
@d3xter666 d3xter666 requested review from a team and matz3 December 5, 2025 19:40
RandomByte
RandomByte requested changes Dec 8, 2025
View reviewed changes
internal/shrinkwrap-extractor/test/expected/package.c/npm-shrinkwrap.json Outdated
"resolved": "https://registry.npmjs.org/package/version.tgz",
"integrity": "sha512-mock-integrity-hash"
},
"node_modules/@ui5/target/node_modules/@sapui5/some-thirdparty": {
Copy link
Member

@RandomByte RandomByte Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this will work. If @ui5/target is the root package, it will never search the path node_modules/@ui5/target/node_modules/ for its dependencies.

For module @sapui5/some-thirdparty, the target package would resolve it to node_modules/@sapui5/some-thirdparty, which contains the wrong version now...

@d3xter666 d3xter666 force-pushed the fix-shrinkwrap-generation branch from 47fde0f to 795c6f6 Compare December 8, 2025 12:06
@d3xter666 d3xter666 changed the title fix: Normalize workspace paths in npm-shrinkwrap.json fix: Improve shrinkwrap generation handling Dec 9, 2025
@d3xter666 d3xter666 force-pushed the fix-shrinkwrap-generation branch from 445b150 to 40d48f6 Compare December 9, 2025 11:53
d3xter666 and others added 17 commits December 15, 2025 09:39
@d3xter666
test: Update shrinkwrap files
be4c9f2
@matz3 @d3xter666
fix: Improve solution
e694213
@RandomByte @d3xter666
test: Add test for dependencies hoisted to the workspace root for pac…
4bb3cc4 
…kages other than the target
@d3xter666
fix: Handle package with multiple versions, nesting and order
d668305
@d3xter666
refactor: Restore the original expectation
34faaf6
@d3xter666
fix: Correct package-lock fixture for package.c
787a9ec
@RandomByte @d3xter666
refactor: Revert "fix: Correct package-lock fixture for package.c"
04c92cc 
This reverts commit 2f3840a.
@RandomByte @d3xter666
test(shrinkwrap-extractor): Fix fixture for project.c
c4fdc34
@d3xter666
refactor: Fix normalizePackage resolver
b885aca
@d3xter666
refactor: Cleanup
4fb3fe3
@d3xter666
fix: Correct coverage reporting for node test runner
d190c3a
@d3xter666
fix: Version in expected shrinkwrap
f0caf22
@d3xter666
refactor: Properly handle shrinkwrap root dependencies
f1198b8
@d3xter666
test: Enhance test case for package.c
330e898
@d3xter666
refactor: Use Arborist's inventory to get the target node
4eb3ac2
@d3xter666
refactor: Start rewriting logic in 2 steps
c0d5f11 
Get the virtual tree in a flat format
Sort it, so that it the loop runs top to bottom
Start rewriting modules to the target root
@d3xter666
refactor: Use virtual and physical trees to resolve shrinkwrap
1da08f6
@d3xter666 d3xter666 force-pushed the fix-shrinkwrap-generation branch from 50393a9 to ce48200 Compare December 15, 2025 07:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RandomByte RandomByte RandomByte requested changes

@matz3 matz3 Awaiting requested review from matz3

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@d3xter666 @coveralls @RandomByte @matz3