Check for duplicate packages in PNPM lockfile

Implements a simple CLI to avoid accidental duplicates for central package dependencies, since peerDependencies do not scale well.

The CLI can be configured to run in normal pnpm workflows via the prepare script:

// package.json
{
    "scripts": {
        "prepare": "check-pnpm-duplicates -c path/to/config.yaml"
    }
}

By default, all duplicate packages are reported as errors:

$ pnpm check-pnpm-duplicates 
Found unexpected duplicate packages:
  - "@changesets/types" # (versions 4.1.0, 6.0.0)
  - "@pnpm/dependency-path" # (versions 5.1.3, 5.1.6)
  - "@pnpm/resolver-base" # (versions 13.0.1, 13.0.4)
  ...

To resolve these issues, consider taking one of the following steps:
  - Run 'pnpm dedupe'
  - Investigate why the package is duplicated (try running 'pnpm why -r <package>') and try to resolve the duplication.
  - If the duplication is not a problem, add the package to the allowed list in the configuration file.

A configuration file can be used to specify expected duplicates which are known to not cause any problems:

# path/to/config.yaml
#
# This is the configuration file for the check-pnpm-duplicates CLI.
# See <https://www.npmjs.com/package/@open-pioneer/check-pnpm-duplicates> for more details.

# Ignore any duplicates in devDependencies.
skipDevDependencies: true

# List of packages that are allowed to have duplicates.
#
# You can list packages here that do not cause issues when they are present multiple times in your project.
# You SHOULD NOT list central dependencies here, such as react or any trails packages.
allowed:
    - "some-package-name"

When any unexpected duplicates are detected, the CLI returns a failure and an error message. Otherwise, it returns exit code 0.

open-pioneer / trails-build-tools

Check for duplicate packages in PNPM lockfile #75

🦋 Changeset detected