serverless-esbuild icon indicating copy to clipboard operation
serverless-esbuild copied to clipboard

Published 20 hours ago • verified publisher icon floydspace

Yarn packager excludes non-semver imports such as github references

Open flipscholtz opened this issue 1 year ago • 1 comments

Describe the bug

The yarn packager assumes the format <name>@<semver> , where everything before the last @ is the name, and after is the version.

This causes a problem for formats where a) the version is not valid semver, and b) the version contains multiple @ characters

Both are illustrated by a github import like this:

"dependencies": {
   "@metacask/kyc-token-client": "github:mcask/kyc-token-client#0.3.2"
}

Re a): The semver comparison here returns false and so the package is excluded. (This only applies if the github import is a sub-package, i.e. yarn list --json returns shadow: true for it)

Re b): Even if the semver check is bypassed for invalid semver, the returned name still looks like this: @metacask/kyc-token-client@git+ssh://git. This is because the last @ in this case is part of the github ssh URL and doesn't denote the boundary between package name / version.

@metacask/kyc-token-client@git+ssh://[email protected]/mcask/kyc-token-client.git#0.3.2

This means the package does not pass the depWhitelist comparison for external packages here and so is still filtered out ( it compares @metacask/kyc-token-client to @metacask/kyc-token-client@git+ssh://git)

To Reproduce Clone the minimal repo here: https://github.com/flipscholtz/serverless-esbuild-github-deps-test

  1. Run yarn install
  2. Note that node_modules/@identity.com/package.json imports a metacask lib using a github reference:
 "@metacask/kyc-token-client": "git+ssh://[email protected]/mcask/kyc-token-client.git#0.3.2",
  1. Run yarn sls package
  2. Unzip the function .serverless/test.zip
  3. Note that the packages node_modules has no @metacask/kyc-token-client dependency.

Expected behavior The github-referenced dependency should be included in the packaged sls node_modules.

Screenshots or Logs N/A

Versions (please complete the following information):

  • OS: MacOS Ventura 13.0
  • Serverless Framework Version: 3.33.0
  • Plugin Version: 1.46.0

Additional context Proposed solution:

  1. If the package reference can't be parsed to valid semver, the packager shouldn't do the semver comparison and just include the package by default.
  2. The package name returned by the packager should be tolerant of multiple @ signs, such as in the case of github URL's, so it still returns the base name of the package accurately. Maybe a regex like this to get the name: ^(@[^@]+|[^@]+)

flipscholtz avatar Jul 26 '23 10:07 flipscholtz

I'll make a PR for this soon once I've sufficiently tested.

flipscholtz avatar Jul 26 '23 11:07 flipscholtz