feat: add experimental use-inline-specifiers-lockfile-format

[gluxon]

Fixes #4725.

This experimental lockfile format reduces merge conflicts when dependencies on adjacent lines are updated in different commits. See linked issue for an in-depth description of the formatting changes in this PR and the motivation.

Toy Example

Suppose the following package.json and (partial) pnpm-lock.yaml

// packages/example/package.json
{
  "name": "example"
  "dependencies": {
    "bar": "^1.0.0",
    "baz": "^1.0.0",
    "qux": "^1.0.0"
  }
}

# pnpm-lock.yaml (partial)
importers:

  packages/example:
    specifiers:
      bar: ^1.0.0
      baz: ^1.0.0
      qux: ^1.0.0
    dependencies:
      bar: 1.0.0
      baz: 1.0.0
      qux: 1.0.0

If the following package.json changes were made in different commits, this would cause a merge conflict in pnpm-lock.yaml.

Commit A (Upgrades bar)

 {
   "name": "example"
   "dependencies": {
-    "bar": "^1.0.0",
+    "bar": "^2.0.0",
     "baz": "^1.0.0",
     "qux": "^1.0.0"
   }
 }

Commit B (Upgrades baz)

 {
   "name": "example"
   "dependencies": {
     "bar": "^1.0.0",
-    "baz": "^1.0.0",
+    "baz": "^2.0.0",
     "qux": "^1.0.0"
   }
}

This is because pnpm-lock.yaml serializes these dependency resolutions next to each other. The diffs are "touching".

 importers:
   specifiers:
-    bar: ^1.0.0 # Commit A
+    bar: ^2.0.0 # Commit A
-    baz: ^1.0.0 # Commit B
+    baz: ^2.0.0 # Commit B
     qux: ^1.0.0
   dependencies:
-    bar: 1.0.0 # Commit A
+    bar: 2.0.0 # Commit A
-    baz: 1.0.0 # Commit B
+    baz: 2.0.0 # Commit B
     qux: 1.0.0

With use-inline-specifiers-lockfile-format set, the changes are no longer happening on adjacent lines. In the example below, the diff changes multiple lines, but the grouped line changes are from different commits.

 importers:
   dependencies:
     bar:
-      specifier: ^1.0.0 # Commit A
+      specifier: ^2.0.0 # Commit A
-      version: 1.0.0 # Commit A
+      version: 2.0.0 # Commit A
     baz:
-      specifier: ^1.0.0 # Commit B
+      specifier: ^2.0.0 # Commit B
-      version: 1.0.0 # Commit B
+      version: 2.0.0 # Commit B
     qux:
       specifier: ^1.0.0
       version: 1.0.0

Astute observers may notice that the package.json file in this example would probably merge conflict. One option to prevent that would be pnpm/rfcs#1.

Real World Example

Here's pnpm-lock.yaml on commit eb2426c with use-inline-specifiers-lockfile-format = true set in .npmrc.

Lockfile itself: https://gist.github.com/gluxon/7bb61624023bbdbdff3da4f917eccd0f
Diff of lockfile: https://gist.github.com/gluxon/a64f0bdc74ca9d99c1fc0723ed6f74fb

Existing Problems

The specifiers block still appears in the serialized pnpm-lock.yaml due to the normalizeLockfile function running after the converters.

pnpm/packages/lockfile-file/src/write.ts

Line 105 in 01c5834

specifiers: importer.specifiers ?? {},

This could be addressed by making normalizeLockfile aware of the feature flag, but that feels architecturally strange. I think this is a non-issue since this is a feature-flagged change, but wanted to call it out in case that's incorrect.

[gluxon]

The idea behind the naming here was that "specifiers" are now "inlined" next to their resolved version instead of in their own block.

I think this naming is awful, but can't think of any better ones at the moment.

[gluxon]

When the shared lockfile format is used, specifiers, dependencies, devDependencies, and optionalDependencies may appear as keys on the root of the lockfile. At the moment this logic only checks for the specifiers key to guess whether the lockfile was serialized using the shared lockfile format.

After the changes in this PR, we unfortunately can't rely on the presence of specifiers on the root to detect the shared lockfile format since the "inline specifiers" format removes specifiers. We're now checking for one of the other fields. This patch is only change not gated behind the feature flag. Assuming the logic is correct, it should not change runtime behavior when the flag is off though.

If that's not okay, I can revert the change to this function and have convertToInlineSpecifiersFormat write out an empty specifiers: {} block. The thinking was that we'll have to remove the check for specifiers here if we end up adopting the changes in this feature flag, so I might as well commit this planned change and have it up for review.

[zkochan]

can't you just check the existence of "importers" field instead?

[gluxon]

Yes, that seems much better. Thanks for the suggestion.

[gluxon]

Is minor the right semver change for a flagged feature? This didn't feel like a patch, but I could be wrong.

[gluxon]

Is there potentially a bad cache on the windows-latest / Node.js 14.6 check? The check passes on a forked repo for the same commit: https://github.com/gluxon/pnpm/actions/runs/2729853189

It looks like TypeScript is attempting to compile make-dedicated-lockfile before compiling lockfile-file? tsc --build relies on timestamps. My guess is there might be something weird going on with preserving timestamps on Windows with @actions/cache.

[zkochan]

it will be shorter if you add specifiers as the first argument and then make a new function. like

const _convertResolvedDependenciesToInlineSpecifiersFormat = convertResolvedDependenciesToInlineSpecifiersFormat.bind(null, { specifiers })

[zkochan]

or you may use a loop

for (const depField of DEPENDENCIES_FIELDS) {
  newImporter[depField] = projectSnapshot[depField]......
}

[gluxon]

Agree this could have been much shorter. How does the functional approach that was just pushed look?

pnpm/packages/lockfile-file/src/experiments/inlineSpecifiersLockfileConverters.ts

Lines 50 to 59 in 3cd2784

	const convertBlock = (block?: ResolvedDependencies) =>
	block != null
	? convertResolvedDependenciesToInlineSpecifiersFormat(block, { specifiers })
	: block
	return {
	...rest,
	dependencies: convertBlock(projectSnapshot.dependencies),
	optionalDependencies: convertBlock(projectSnapshot.optionalDependencies),
	devDependencies: convertBlock(projectSnapshot.devDependencies),
	}

[zkochan]

can't you just check the existence of "importers" field instead?

[gluxon]

Thanks for the suggestions! I'm away from my keyboard for a few more hours, but will update the PR once I get back in ~3 hours.

[gluxon]

Latest force push should:

• Address initial feedback.
• I added a bit more to the changelog cautioning pnpm min version constraints in case anyone discovers this feature and decides to use it.
• I caught that convertResolvedDependenciesToInlineSpecifiersFormat could also be simplified with mapValues and rewrote that.

[zkochan]

I have tried this setting.

Now the lockfile has this:

  packages/audit:
    specifiers: {}
    dependencies:
      '@pnpm/error':
        specifier: workspace:*
        version: link:../error

I guess the specifiers field shouldn't be there

[gluxon]

Thanks for testing @zkochan. I mentioned this briefly under "Existing Problems" in the PR description. Would it make sense to just pass a useInlineSpecifiersFormat flag into normalizeLockfile?

Was originally worried about the change leaking out of the converter functions, but making normalizeLockfile aware of this flag is probably okay.

[zkochan]

Or alternatively you can duplicate the normalise function for the new format

[zkochan]

I am doing it

#5110

[gluxon]

Thanks!