[proposal] lerna publish with uncommitted changes

[Filipoliko]

Hi,
I would like to propose a new option for lerna publish command, which would allow us to run lerna publish with uncommitted changes to the packages.

We need this behaviour for our benchmark test, where we publish all monorepo packages to temporary private registry, then install all these published packages to our skeleton web application. Then we build and run this web application and run simple performance tests to check, that we did not cause some critical performance issues. We run this test in CI and don't want to push, or create any commits.

Pseudo Script

# Example Repository Structure
# packages/package-a
# packages/package-b
# packages/skeleton (private)
# package.json

# Benchmark Test Script
npm install
npx lerna version prerelease --no-push --no-commit-hooks --no-git-tag-version --allow-branch '*'
npx lerna publish from-package --registry "$PRIVATE_REGISTRY" --no-push --no-git-reset # + some option to ignore uncommitted changes error

# Prepare Skeleton Website
cd $WEB_APPLICATION_PATH
npm install --registry "$PRIVATE_REGISTRY"
npm run build
npm start &

# Run Test Against Our Website
autocannon localhost:3001

I found a solution to use git update-index --assume-unchanged ., that we could use in CI, but it seems a little bit dangerous and ugly and if somebody tries to run the script locally, it can have some horrible consequences.

I also tried to simply run lerna bootstrap to link all the packages together, but I ran into another issue with our gulp tasks package, which is used by skeleton web app. Since all the linked dependencies are just symlinks and can use only its own dependencies, it makes a problem when a gulp task requires some project file, which requires some project dependency, which is not a dependency of the gulp task package (I hope its understandable :D ). This could be solved by installing all the required packages as dev dependency also to the gulp task package, but it seems rather ugly solution. Also, it is more reliable test, if I try to install actually published packages, since this would also test correctly set dev/production dependencies.

I could not think of any other solution for our use case, but to create custom script to publish all the packages. But it seems unnecessarily complicated solution, because I would expect, that there should be some option for the lerna publish command, which would allow us to ignore uncommitted changes to the project.

Proposal

lerna publish --skip-check-working-tree

The option --skip-check-working-tree would skip the check-working-tree and the command would not fail, when there are some uncommitted changes in the project, when trying to publish the packages.

Another solution would be to attach this behaviour to --no-git-reset, but I am not sure, if I understand this option correctly.

Related Issues

#1581

---

Thank you for your attention and keep up the great work!

Filip

[diminutivesloop]

This would also be useful for our project where we want to enforce usage of an internal npm registry for package installs via .npmrc but we can't commit .npmrc because npm login modifies it right before we run lerna publish. Alternatively lerna publish could support an --ignore option.

[seantcanavan]

Would love to see this feature as well

[arlukin]

This would also be useful for our project where we want to enforce usage of an internal npm registry for package installs via .npmrc but we can't commit .npmrc because npm login modifies it right before we run lerna publish. Alternatively lerna publish could support an --ignore option.

I had a similar problem in my cicd process. I do this.

 "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc
lerna publish from-package --yes --no-verify-access

And had to add .npmrc to my .gitignore.

[diminutivesloop]

Also this appears to be a security issue as being unable to check-in .npmrc opens the door for a dependency confusion attack at least on dev machines that run npm install instead of npm ci.

[anlesk]

Yes, missing that as well!

[justrhysism]

Azure DevOps Pipelines modifies the .npmrc when authenticating, resulting in this issue.

I've had to work around it by ignoring the .npmrc file (with it already checked in) but that is far from ideal.

[ciobanudann]

This would also be useful for our project where we want to enforce usage of an internal npm registry for package installs via .npmrc but we can't commit .npmrc because npm login modifies it right before we run lerna publish. Alternatively lerna publish could support an --ignore option.

You can just use this in you CI/CD
    - name: Setting Up NPM
      run: |
          npm set @organization:registry=https://npm.pkg.github.com/organization
          npm set "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}"

[IndiraSDev]

Hello All! Can anyone please let me know if there's any update on this? I too see the same error, which says
"lerna verb git-describe undefined => "v2.0.5-g*-dirty"
lerna sill git-describe parsed => {"lastTagName":"v2.0.5","lastVersion":"v2.0.5","refCount":"11","sha":"*","isDirty":true}
lerna sill collect-uncommitted git status --porcelain (async)
lerna ERR! EUNCOMMIT Working tree has uncommitted changes, please commit or remove the following changes before continuing:"

I am not sure how to proceed from here. As far as I checked, the working tree says, it is clean.

[szwalkowski]

+1.
Creating fake commit is just awful