Add support for pnpm lock file format 6 #1028
Conversation
src/Microsoft.ComponentDetection.Detectors/pnpm/PnpmComponentDetector.cs
Show resolved
Hide resolved
| @@ -30,7 +31,7 @@ public class PnpmComponentDetector : FileComponentDetector | |||
|
|
|||
| public override IEnumerable<ComponentType> SupportedComponentTypes { get; } = new[] { ComponentType.Npm }; | |||
|
|
|||
| public override int Version { get; } = 5; | |||
| public override int Version { get; } = 6; | |||
There was a problem hiding this comment.
I think I'm supposed to update this because I made changes, but I'd like confirmation that that's the correct thing to do.
There was a problem hiding this comment.
When we introduce detectors which may affect the component graph being updated (new component type, new lockfile, etc) we like to introduce them as experimental detectors (see detector lifecycle).
If possible, would you be able to introduce a new detector for V6 so we are able to run the experiments? We can merge the code back into the main detection logic after. #684 has some example configuration.
There was a problem hiding this comment.
I'd be happy to help make these changes as well if needed
There was a problem hiding this comment.
That sounds like an excellent way to reduce risk in cases like this.
I'd be happy to help make these changes as well if needed
That would be great. I don't know this codebase well (I just spent a day and a half making this as part of a hackathon), so I suspect you could do that much more efficiently than I could. I'm happy to have you take over any part or all of this work.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1028 +/- ##
=====================================
Coverage 75.3% 75.4%
=====================================
Files 237 241 +4
Lines 10423 10512 +89
Branches 1043 1054 +11
=====================================
+ Hits 7858 7927 +69
- Misses 2272 2286 +14
- Partials 293 299 +6 ☔ View full report in Codecov by Sentry. |
|
It appears that the VS code dev container setup doesn't include PowerShell so I can't run the VerificationTests.ps1 script locally. The instructions in there also make explicit reference to visual studio. It also says "The automation script above will output variables that needs to be replaced in Anyway its unclear to me what the workflow is for adding more test cases to the verification script. I'd like to include my added v6 file works but I don't know how. |
|
Looking at the code coverage, I determined I could use a test for the shared-shrinkwrap case that workspaces use, and one for renamed/aliased dependencies, so I have added both. More testing is possible (ex: file and link cases, peer deps etc.) but I think I'm past the point of diminishing returns. |
|
@microsoft/ose-component-detection-maintainers : I'd like assistance dealing with the snapshot tests as noted in #1028 (comment). If this is not practical to get assistance on, I can revert the extended snapshot test coverage which should get this passing on CI: maybe that would get this reviewed sooner? |
| @@ -30,7 +31,7 @@ public class PnpmComponentDetector : FileComponentDetector | |||
|
|
|||
| public override IEnumerable<ComponentType> SupportedComponentTypes { get; } = new[] { ComponentType.Npm }; | |||
|
|
|||
| public override int Version { get; } = 5; | |||
| public override int Version { get; } = 6; | |||
There was a problem hiding this comment.
When we introduce detectors which may affect the component graph being updated (new component type, new lockfile, etc) we like to introduce them as experimental detectors (see detector lifecycle).
If possible, would you be able to introduce a new detector for V6 so we are able to run the experiments? We can merge the code back into the main detection logic after. #684 has some example configuration.
src/Microsoft.ComponentDetection.Detectors/pnpm/PnpmComponentDetector.cs
Show resolved
Hide resolved
| @@ -30,7 +31,7 @@ public class PnpmComponentDetector : FileComponentDetector | |||
|
|
|||
| public override IEnumerable<ComponentType> SupportedComponentTypes { get; } = new[] { ComponentType.Npm }; | |||
|
|
|||
| public override int Version { get; } = 5; | |||
| public override int Version { get; } = 6; | |||
There was a problem hiding this comment.
I'd be happy to help make these changes as well if needed
src/Microsoft.ComponentDetection.Detectors/pnpm/PnpmComponentDetector.cs
Show resolved
Hide resolved
| ProcessDependencySet(package); | ||
| } | ||
|
|
||
| void ProcessDependencySet(PnpmHasDependenciesV6 item) |
There was a problem hiding this comment.
nit: can these be declared as explicit functions rather than locals for RecordDependencyGraphFromFileV6?
There was a problem hiding this comment.
I choose to do it this way so they could be scoped to v6 specific code, and not require as many parameters. They could of course be moved to a larger scope, given more specific names, and have everything passed in: that just seemed messier to me. If you refactor the v5 and v6 detector to be more separated, moving these to a larger scope would be more attractive.
|
|
||
| // Strip parenthesized suffices from package. These hold peed dep related information that is unneeded here. | ||
| // An example of a dependency path with these: /webpack-cli@4.10.0(webpack-bundle-analyzer@4.10.1)(webpack-dev-server@4.6.0)(webpack@5.89.0) | ||
| var fullPackageNameAndVersion = pnpmDependencyPath.Split("(")[0]; |
There was a problem hiding this comment.
is this guaranteed to always have [0]? do we need to do index checks beforehand?
There was a problem hiding this comment.
My understanding is splitting a string always returns at least one part, even if there is no separator or the string is empty, so this should be fine. There likely is a more explicit way to do this (for example with a regular expression), but this should work fine.
I'll follow up internally here as the verification CI tests use a private repo which we can add the additional test file to. |
When adding new components like this, the verification test failures are expected as it is performing a diff based on the last "known good version" so adding new files will trip the failure. I'll verify before merging but you shouldn't need to worry about this for now. |
cobya
added
version:minor
type:feature
|
Closing this as #1110 has been opened with the related experiments changes. |
This addresses #503 by doing the following:
The old code wasn't clear about what file formats it actually worked with, and a lot of its tests seems to be from versions earlier than 5 which it didn't really parse correctly (ex: the version it parses isn't present in those versions as it had a different name).
Thus to preserve existing behavior I pointed cases which failed to detect a version through the old V5 code.
The included verification tests didn't cover a lot of cases (link and file references, aliased packages, shared shrink-wrap format, disambiguated deps with peer deps) so I also tested on the package lock from https://github.com/microsoft/FluidFramework which is 44k lines and has all the mentioned edge cases.
If desired, I can add the v5 and v6 versions of that file to the verification tests directory.
This should be in a working state but I need to actually understand how the verification tests results are verifies before this should be merged.
This is my first time working in this codebase, as well as the first time in several years that I'm working in C#, so please be extra careful reviewing this: don't trust that I know what I'm doing.