search

nrwl / nx

Smart Monorepos · Fast CI
https://nx.dev
MIT License
22.59k stars 2.25k forks source link

GeneratePackageJson: package.json with overrides or patches generate incorrect lockfile #18402

Open alumni opened 11 months ago

alumni commented 11 months ago

Current Behavior

GeneratePackageJson will not copy and trim overrides / patchedDependencies to the generated lockfile (or package.json)

Expected Behavior

The expectation is that the generate package.json and pnpm-lock.yaml would be correct and pnpm install --frozen-lockfile does not error.

GitHub Repo

No response

Steps to Reproduce

  1. create e.g. NestJS app in monorepo with the following package.json:
{
  "dependencies": {
    "@nestjs/axios": "3.0.0"
  },
  "pnpm": {
    "overrides": {
      "axios": "0.27.2"
    }
  }
}
  1. Add an app with a build target that contains generatePackageJson: true.
  2. Build the app.
  3. Unexpected 1: pnpm overrides (and patches) are missing from the generated package.json and pnpm-lock.yaml.
  4. Unexpected 2: Running pnpm install --frozen-lockfile fails.

Nx Report

Node : 18.17.0
   OS   : win32 x64
   pnpm : 8.6.10

   nx                      : 15.9.4
   @nrwl/js                : 15.9.4
   @nrwl/jest              : 15.9.4
   @nrwl/linter            : 15.9.4
   @nrwl/workspace         : 15.9.4
   @nrwl/cli               : 15.9.4
   @nrwl/devkit            : 15.9.4
   @nrwl/eslint-plugin-nx  : 15.9.4
   @nrwl/nest              : 15.9.4
   @nrwl/node              : 15.9.4
   @nrwl/tao               : 15.9.4
   @nrwl/webpack           : 15.9.4
   typescript              : 5.1.6

Failure Logs

No response

Operating System

Additional Information

No response

craigneasbey commented 10 months ago

Thanks. This is the same for npm overrides too. We got vulnerabilities and since we did not control the CI/CD process, we had to copy over the whole package.json as a work around which doubled the image size.

jaysoo commented 10 months ago

@alumni Thanks for reporting. We'll investigate this.

alumni commented 10 months ago

pnpm supports 2 types of overrides: pnpm.overrides and resolutions (for yarn compatibility). We ended up using resolutions because Renovate doesn't handle overrides at the moment.

Current workaround is to patch nx to copy the needed keys from the root package.json:

patches/nx@15.9.4.patch:

diff --git a/src/plugins/js/package-json/create-package-json.js b/src/plugins/js/package-json/create-package-json.js
index 8b8c0224eb9c91dbf61f2d1ad73bca879b3c6d26..1d5a3dc2bbeac48b8eefc25fb147e2ee15ada725 100644
--- a/src/plugins/js/package-json/create-package-json.js
+++ b/src/plugins/js/package-json/create-package-json.js
@@ -100,6 +100,9 @@ function createPackageJson(projectName, graph, options = {}) {
     packageJson.dependencies && (packageJson.dependencies = (0, object_sort_1.sortObjectByKeys)(packageJson.dependencies));
     packageJson.peerDependencies && (packageJson.peerDependencies = (0, object_sort_1.sortObjectByKeys)(packageJson.peerDependencies));
     packageJson.peerDependenciesMeta && (packageJson.peerDependenciesMeta = (0, object_sort_1.sortObjectByKeys)(packageJson.peerDependenciesMeta));
+    rootPackageJson.packageManager && (packageJson.packageManager = rootPackageJson.packageManager);
+    rootPackageJson.pnpm && (packageJson.pnpm = rootPackageJson.pnpm);
+    rootPackageJson.resolutions && (packageJson.resolutions = rootPackageJson.resolutions);
     return packageJson;
 }
 exports.createPackageJson = createPackageJson;

Fix for patches in package.json:

{
    "pnpm": {
        "allowNonAppliedPatches": true,
        "patchedDependencies": {...}
    }
}

To fix lockfile pruning and the creation of node_modules, we use the root lockfile and run pnpm prune:

COPY patches patches
COPY ["dist/apps/<app>/package.json", "pnpm-lock.yaml", "./"]
RUN pnpm prune --prod \
    && rm -rf patches

I know nx 15.9 has limited pnpm lockfile support, but we also cherry picked some fixes from 16.x (IIRC the entire lockfile parser), it seems it still doesn't handle patches/resolutions.

riceboyler commented 8 months ago

I don't know that it will get merged, but I created a PR to hopefully just copy the pnpm and packageManager sections with every newly generated package.json file.

meeroslav commented 8 months ago

@riceboyler, that would unfortunately not work. We need to copy over the patched files as well. And those need to be pruned.

stephkoltun commented 3 months ago

is there any resolution on this? I desperately need to use overrides