Open alumni opened 11 months ago
Thanks. This is the same for npm overrides too. We got vulnerabilities and since we did not control the CI/CD process, we had to copy over the whole package.json as a work around which doubled the image size.
@alumni Thanks for reporting. We'll investigate this.
pnpm supports 2 types of overrides: pnpm.overrides
and resolutions
(for yarn compatibility). We ended up using resolutions
because Renovate doesn't handle overrides at the moment.
Current workaround is to patch nx to copy the needed keys from the root package.json
:
patches/nx@15.9.4.patch
:
diff --git a/src/plugins/js/package-json/create-package-json.js b/src/plugins/js/package-json/create-package-json.js
index 8b8c0224eb9c91dbf61f2d1ad73bca879b3c6d26..1d5a3dc2bbeac48b8eefc25fb147e2ee15ada725 100644
--- a/src/plugins/js/package-json/create-package-json.js
+++ b/src/plugins/js/package-json/create-package-json.js
@@ -100,6 +100,9 @@ function createPackageJson(projectName, graph, options = {}) {
packageJson.dependencies && (packageJson.dependencies = (0, object_sort_1.sortObjectByKeys)(packageJson.dependencies));
packageJson.peerDependencies && (packageJson.peerDependencies = (0, object_sort_1.sortObjectByKeys)(packageJson.peerDependencies));
packageJson.peerDependenciesMeta && (packageJson.peerDependenciesMeta = (0, object_sort_1.sortObjectByKeys)(packageJson.peerDependenciesMeta));
+ rootPackageJson.packageManager && (packageJson.packageManager = rootPackageJson.packageManager);
+ rootPackageJson.pnpm && (packageJson.pnpm = rootPackageJson.pnpm);
+ rootPackageJson.resolutions && (packageJson.resolutions = rootPackageJson.resolutions);
return packageJson;
}
exports.createPackageJson = createPackageJson;
Fix for patches in package.json
:
{
"pnpm": {
"allowNonAppliedPatches": true,
"patchedDependencies": {...}
}
}
To fix lockfile pruning and the creation of node_modules
, we use the root lockfile and run pnpm prune
:
COPY patches patches
COPY ["dist/apps/<app>/package.json", "pnpm-lock.yaml", "./"]
RUN pnpm prune --prod \
&& rm -rf patches
I know nx 15.9 has limited pnpm lockfile support, but we also cherry picked some fixes from 16.x (IIRC the entire lockfile parser), it seems it still doesn't handle patches/resolutions.
I don't know that it will get merged, but I created a PR to hopefully just copy the pnpm and packageManager sections with every newly generated package.json file.
@riceboyler, that would unfortunately not work. We need to copy over the patched files as well. And those need to be pruned.
is there any resolution on this? I desperately need to use overrides
Current Behavior
GeneratePackageJson
will not copy and trimoverrides
/patchedDependencies
to the generated lockfile (orpackage.json
)Expected Behavior
The expectation is that the generate
package.json
andpnpm-lock.yaml
would be correct andpnpm install --frozen-lockfile
does not error.GitHub Repo
No response
Steps to Reproduce
package.json
:generatePackageJson: true
.package.json
andpnpm-lock.yaml
.pnpm install --frozen-lockfile
fails.Nx Report
Failure Logs
No response
Operating System
Additional Information
No response