Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Health report of package.json for CI use #1

Merged
merged 28 commits into from
Jan 25, 2023
Merged

Health report of package.json for CI use #1

merged 28 commits into from
Jan 25, 2023

Conversation

mxdvl
Copy link
Member

@mxdvl mxdvl commented Jan 20, 2023
edited
Loading

What does this change?

Adds a new script that audits a package.json file:

  • errors if the package.json file is invalid
  • errors if there are mismatched peer dependencies
  • errors if there are duplicate entries in dependencies, devDependencies and peerDependencies.

In the future it could also:

  • error if peerDependencies do not have a matching pinned devDependencies to the minimum matching the range
  • error if private packages have anything but devDependencies
  • error if any of the dependencies’ peerDependencies are mismatched
  • error if there are @types/* dependencies that are mismatched

Builds on the ideas in guardian/dotcom-rendering#7003

How to test

Run the following script:

deno run \
	--allow-net=registry.npmjs.org \
	--allow-read=. \
	https://raw.githubusercontent.com/guardian/actions-npm-dependencies/mxdvl/initial-script/main.ts \
	./package.json  \
	--verbose --cache

How can we measure success?

Less mismatched dependencies, no duplicate dependencies.

Have we considered potential risks?

There could be false positives or negatives if this is not done this right, which would prevent adoption.

Images

image

@mxdvl
feat(peers): add script and modules
72c254e 
- parse package.json
- fetch peer dependencies online
- check if there are mismatches in peers
- keep things testable via functional
@mxdvl
refactor: single pass analysis of satisfied
36641e7 
Instead of looping twice over the dependencies,
check whether they are satisfied via the registry
call directly based on minimum range version or optional.
@mxdvl
docs: update to-do list
5eaf930
@mxdvl
feat: handle edge cases and quiet mode
808aa78
@mxdvl
feat: add caching option
203301c
@mxdvl mxdvl added the enhancement New feature or request label Jan 24, 2023
@mxdvl mxdvl changed the title Add initial script CI script for healthy package.json Jan 25, 2023
@mxdvl mxdvl force-pushed the mxdvl/initial-script branch 6 times, most recently from 2610bd6 to 6e6735f Compare January 25, 2023 12:12
@mxdvl
fix: use cache @ v3
e3d3bfc
@mxdvl
refactor: move files to src
b2d9ebe
@mxdvl
feat: allow success if known number of errors
4c773af
@mxdvl
chore: remove unused final step
3c00012
@mxdvl
feat: better error on duplicate
dbef96c
@mxdvl
refactor(cache): passe it around
d646727
@mxdvl
chore: remove unused import
628d475
@mxdvl
feat: use unpkg.com for speed
a26585a 
Ran a benchmark to compare parsing `typescript`
and the results are incredible:
- registry.npmjs.org ~ 75ms
- unpkg.com ~ 150 µs (0.15ms)

Instead of getting all possible versions of a package,
it’s best to target a specific version directly.
@mxdvl
fix: remove caches from tests
56db854
@mxdvl mxdvl changed the title CI script for healthy package.json Health report of package.json for CI use Jan 25, 2023
@mxdvl mxdvl merged commit 2bc1b48 into main Jan 25, 2023
@mxdvl mxdvl deleted the mxdvl/initial-script branch January 25, 2023 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@mxdvl