Assertions on transitive dependencies

[jfirebaugh]

Thanks for making syncpack, it's been very useful for us at Figma!

Description

I often want to make assertions not just about what packages are directly depended on, but also about how transitive dependencies have been resolved.

Examples include:

• Assert that react resolves to a consistent version globally, whether it's a direct dependency or a transitive dependency.
• Assert that a package version with a security vulnerability is not present anywhere in the dependency tree.
• Assert that certain common packages are resolved consistently, whether direct or transitive, to avoid filesystem bloat (typescript, babel, aws-sdk, etc.)

Suggested Solution

It would be nice if syncpack supported this somehow. Perhaps there should be a special type of version group that applies to transitive dependencies, or it should be an additional property on existing version group types.

For my purposes, it's fine if this was a "check only" feature. That is, I would like syncpack lint to check this, but I don't necessary expect syncpack fix to be able to fix it (sometimes there's a package manager upgrade command that can fix it, but sometimes it requires types of manual intervention that can't be automated).

Help Needed

[JamieMason]

Thanks @jfirebaugh, I see the need for this but I think it's outside of the scope of syncpack – you'd have to go pretty deep on the various lockfile formats, package managers etc – even TypeScript config and bundler config can play a role. It would be a lot of work and best handled by a specialised tool and team focused on that problem on its own.

Thanks for raising, but it's not something I have bandwidth to take on.

[jfirebaugh]

Totally fair! Thanks again for what you have built!

[JamieMason]

You're welcome 👍