chromatic-cli icon indicating copy to clipboard operation
chromatic-cli copied to clipboard

Published 20 hours ago verified publisher icon chromaui

add support to pnpm-lock.yaml file

Open lapa182 opened this issue 1 year ago • 6 comments

This pull request adds support to the pnpm-lock.yaml files.

I've updated the tests to also support this change, please let me know if there's anything further to apply this change to chromatic-cli!

Relates to issue #785

lapa182 avatar Nov 10 '23 11:11 lapa182

Thanks for the PR @lapa182! We'll take a look at this ASAP.

tevanoff avatar Nov 14 '23 20:11 tevanoff

I am trying these changes in our setup. I don't think it will work because snyk-nodejs-lockfile-parser does not support pnpm. It will likely report an error from https://github.com/chromaui/chromatic-cli/blob/602d90cfc31827d7a0f07b4243c5631eda4fe894/node-src/lib/getDependencies.ts#L28

Unknown lockfile pnpm-lock.yaml. Please provide either package-lock.json or yarn.lock.

https://github.com/snyk/nodejs-lockfile-parser/issues/111

Obi-Dann avatar Nov 29 '23 02:11 Obi-Dann

@Obi-Dann do you think you could create a specific condition just for PNPM and use https://www.npmjs.com/package/@pnpm/lockfile-file to parse the lock file just for pnpm? 🤔

lapa182 avatar Nov 29 '23 16:11 lapa182

Thanks @Obi-Dann! You're right, this won't change the current behavior since it won't be able to parse the pnpm lock file. It will fall back to looking at package.json which is what happens currently when it can't find the lock file at all.

@lapa182 that pnpm library looks promising, but we haven't yet dug into it enough to know if it will give us what we need. We have a ticket on our end to take a closer look, but I can't say for sure when that will be prioritized. I'll see if I can get some traction on that. Thanks!

tevanoff avatar Nov 29 '23 17:11 tevanoff

Having the same issue...please fix this! ❤️

kevinlandsberg avatar Feb 29 '24 16:02 kevinlandsberg

const headTree = await buildDepTreeFromFiles(rootPath, manifestPath, lockfilePath, includeDev);

related: my parse-package-lock is a generic lockfile parser for npm, yarn, pnpm to provide a generic interface to @npmcli/arborist, @yarnpkg/parsers, @pnpm/lockfile-file

but it does not return a tree of dependencies its a stream parser that calls

eventHandlers.enterPackage(packageData);
// recurse into dependencies of this package
eventHandlers.leavePackage(packageData);

i started this 2 years ago because i was not happy with snyk-nodejs-lockfile-parser also because it does not return the resolved and integrity values of the locked packages

downsides: not used, not tested, abandoned project i just found this again via my pnpm-install-only which is a generic package installer for npm, yarn, (not yet pnpm) using the filesystem layout of pnpm to create a deep tree

edit: https://github.com/antongolub/lockfile is more mature, but has no pnpm support

milahu avatar Mar 27 '24 17:03 milahu