rushstack
rushstack copied to clipboard
microsoft
[rush] Support PNPM "overrides" field in package.json
Summary
PR https://github.com/microsoft/rushstack/pull/1360 enabled support for Yarn resolutions.
Turns out that PNPM has this same feature, but called overrides.
We should:
- Confirm whether it works properly with Rush; if not, get it working
- Recommend to use it instead of pnpmfile.js (because config data is preferable to executable code). The pnpmfile.js feature would still be supported for advanced problems.
Hello @iclanton and @D4N14L, Can you point to a link or an example where this could be supported by Workspaces?
Have you tried using it and it just doesn't work? If so, it's possible that it's not working because the overrides need to be specified in the root project (see docs: https://pnpm.io/package_json#pnpmoverrides), which in the case of Rush is generated in common/temp. This is what happened in a separate issue (#3293). Support would likely need to be added to Rush in some way, though I don't personally have the bandwidth to implement this.
Worth noting that it's not just overrides, but the rest of the pnpm root-level configs on that page (the linked issue is for peerDependencyRules).
Also, common/temp/package.json is wiped and reset with most relevant rush commands, so it can't be kept there. Not to mention the generated .gitignore excludes that from version control.
Would throwing something into rush.json work? Or would this be too bloated?
"pnpmOptions": {
// ...
"overrides": {
"foo": "^1.0.0",
"quux": "npm:@myorg/quux@^1.0.0",
"bar@^2.1.0": "3.0.0",
"qar@1>zoo": "2"
},
"peerDependencyRules": {
"ignoreMissing": ["react"]
}
}
You'd probably want to disallow engines since we already have pnpmVersion in rush.json.
I think this is already covered by this line of code using globalOverrides and it was released in version 5.79
@gabrielpioto I tested with 5.79.0 and it seems like it still does not take into account the pnpm.overrides section. Am I missing something?
Btw I'm using pnpm workspaces
I think it's an important feature to implement because having to override some transitive dependencies for security or feature things is quite common (unfortunately). @iclanton @octogonz let me know if you guys have no bandwidth I'd be happy to start contributing and land a PR
I think this is already covered by this line of code using
globalOverridesand it was released in version 5.79
Yes, we already fixed this. The full docs are in common/config/rush/pnpm-config.json.
@antoine-coulon Can you provide a more detailed repro? Otherwise I think we should close #2698 as already "fixed".
I think this is already covered by this line of code using
globalOverridesand it was released in version 5.79Yes, we already fixed this. The full docs are in common/config/rush/pnpm-config.json.
@antoine-coulon Can you provide a more detailed repro? Otherwise I think we should close #2698 as already "fixed".
Thanks @octogonz for sharing the newly introduced pnpm-config.json I wasn't aware of. Is it planned to add this file in the config file reference?
Consequently I just added the pnpm-config.json with the following config:
{
"$schema": "https://developer.microsoft.com/json-schemas/rush/v5/pnpm-config.schema.json",
"useWorkspaces": true,
"strictPeerDependencies": true,
"pnpmStore": "local",
"preventManualShrinkwrapChanges": true,
"globalOverrides": {
"moment": "2.29.4"
}
}
When doing a rush update, it effectively adds the pnpm.overrides property in the common/temp/package.json as stated by this change mentioned here:
"pnpm": {
"overrides": {
"moment": "2.29.4"
}
}
However it seems that there is no impact on the pnpm lockfile itself (common/config/rush/pnpm-lock.yaml), it seems like nothing is updated afterwards. Moreover I noticed that when I manually delete the lockfile and then I run rush update once again it seems to work, the newly created lockfile effectively includes the overrides property resulting in a dependency tree update in the lockfile:
overrides:
moment: 2.29.4
/somewhere-in-the-tree:
moment: 2.29.4
Am I missing something in order for the pnpm overrides prop to be reflected in the dependency tree?
@chengcyber Is this the expected behavior?
One guess is running "rush update --full" or "rush update --recheck" is needed after any modification of "pnpm-config.json". Kind of similar as running "rush update --full" is needed after changing pnpmfile.
Hi @antoine-coulon , you can try to run "rush update --recheck" or "rush update --full" after changing pnpm-config.json. If the issue still happens, could you kindly give me a minimal reproduce repo? This will be a great help to check this issue for you.
@chengcyber Is this the expected behavior?
One guess is running "rush update --full" or "rush update --recheck" is needed after any modification of "pnpm-config.json". Kind of similar as running "rush update --full" is needed after changing pnpmfile.
Hi @antoine-coulon , you can try to run "rush update --recheck" or "rush update --full" after changing pnpm-config.json. If the issue still happens, could you kindly give me a minimal reproduce repo? This will be a great help to check this issue for you.
Hello @chengcyber!
I just tried with --recheck and --full options and both work very well (I wasn't sure it was the expected behavior so that's why I wanted to check that with you).
Consequently I'm confirming that the version 5.79.0 of Rush works with pnpm.overrides 🥳
Thanks @chengcyber @octogonz for the quick responses 🏍️
I guess this issue can be closed as of Rush now supports this with the 5.79.0 version.