[rush] Add support for Yarn resolutions when using Yarn

[octogonz]

The Yarn package manager has a feature called "resolutions" that is similar in function to pnpmfile.js. It allows a package to specify fixup rules for indirect dependencies, for example:

{
  "name": "project",
  "version": "1.0.0",
  "dependencies": {
    "left-pad": "1.0.0",
    "c": "file:../c-1",
    "d2": "file:../d2-1"
  },
  "resolutions": {
    "d2/left-pad": "1.1.1",
    "c/**/left-pad": "1.1.2"
  }
}

The full docs are here:
https://yarnpkg.com/lang/en/docs/selective-version-resolutions/

We should figure out how to support this in a Rush repo when using the Yarn package manager.

[KevinGrandon]

This one would be immensely useful for us. Any pointers on where to start looking in case a third-party contribution would be useful?

[RichiCoder1]

Just ran into this. Would love to know if there's a way to accomplish this or help.

[octogonz]

After thinking about it a little, I suspect that this feature may be fairly easy to implement.

Some background: rush install works by generating a fake package common/temp/package.json (called the "common package") that will get processed by a single yarn install invocation. (See this code.)

The common package contains references to tarballs (called the "temp packages"), one for each project project in your repo. (See this code.) If your real project is called my-lib, then the corresponding temp package name will be @rush-temp/my-lib, and the common package will contain something like this:

common/temp/package.json

{
  "name": "rush-common",
  "version": "0.0.0"
  "description": "Temporary file generated by the Rush tool",
  "private": true,
  "dependencies": {
    . . .
    "@rush-temp/my-lib": "file:./projects/my-lib.tgz",
    . . .
  }
}

If you extract the temp package tarball, it contains a single fake package.json file that describes the dependencies that Rush will install for the corresponding project. (You don't actually need to extract it, because its extracted contents are already present in common/temp/projects/my-lib/package.json. The reason for using a tarball is to make it easier for the package manager's cache to determine whether the fake package has changed or not.)

Thus, in theory in order to implement this feature, all we need to do is copy the "resolutions" field from the original project's package.json file (packageJson variable on this line) into the temp package's package.json (tempPackageJson variable in that same loop).

In practice, the question will be whether Yarn correctly respects it during installation. (All three package managers tend to be fairly buggy when handling file: version specifiers.)

If you can get it working, please create a PR! :-P

[buffcode]

I would expect preferredVersions to be used for this? We wuold like to update some indirect dependencies due to security issues but rush will only add the prefererred version in addition to the older indirect dependency.

A global solution would be nice and though #1360 addresses this on package level, I think should be a first level option within rush itself for the whole mono-repo, in order to have consistent versions.