[rush] Copy resolutions section from source package.json for yarn

[MasterLambaster]

Copy resolutions to the base package.json and to the project specific auto generated files.
Fixes #831.

[msftclas]

All CLA requirements met.

[MasterLambaster]

@iclanton The latest change to use index signature is causing issues on CI but not locally. Local run on node 8.16.0 passes successfully.

[12:06:45] Project @microsoft/rush-lib version:5.10.1
[12:06:45] Build tools version:3.9.26
[12:06:45] Node version:v8.16.0
[12:06:45] Total duration:30 s

With tslint version 5.12.1 and typescript version3.2.4.
Is there easy way to get typescript version on CI?
Or should I rollback those changes?

[iclanton]

Sorry I didn't see this when you updated it. I'll take a look tomorrow when I'm at the office.

[iclanton]

The typescript version is 3.4.

I fixed the issue you were seeing.

[rakeshpatnaik]

@MasterLambaster - Can you take a look and respond to the open comments?

[chriscasola]

@MasterLambaster @iclanton is there more work left here? I'd be happy to contribute, this change would be extremely useful to us.

[MasterLambaster]

For whatever reasons there was one unresolved but yet redundant request open. It should be all good now.

[chriscasola]

@iclanton can this be reviewed again?

[chriscasola]

@iclanton any update?

[chriscasola]

@iclanton @octogonz Can I do anything to help get this merged?

[chriscasola]

@iclanton @octogonz any update? I can rebase this and open a new PR if it will be looked at.

[octogonz]

@apostolisms Could we get someone to review this? Overall the basic idea behind this PR seems sound to me. (Copy the resolutions from the project's package.json into the temp-project's package.json.)

If I remember right, this is the only way for Yarn to work around the @types versioning issue (yarnpkg/yarn#6695). So it's an important fix.

[iclanton]

I just put together a repo to test this change and it doesn't seem to be working for me.

Here's my test repo:

This project has a "resolutions" field. and I checked in the yarn.lock file from a normal yarn install in that project's folder. Notice that z-schema is resolved to 5.18.3, when it would normally be 5.18.4.

However, no analogous resolution shows up in the common/config/rush/yarn.link file: z-schema is resolved to 5.18.4.

Does someone have a repo where this is working?

[MasterLambaster]

That's correct behavior.
Resolutions are applied only on the project level. I.e. that'll mandate version only within project1.
We've discussed behavior you're referencing to here( For whatever reasons conversation link does not work)
In order to support global resolution we need either to combine all resolutions from all packages and deal with conflicts, either do it some other way.

[iclanton]

@MasterLambaster - but the resolution does seem to even be applying on the project level. I've specified a resolution in proj1, but it's still getting [email protected], not 3.18.3

[MasterLambaster]

@iclanton could you please describe how do you verify it?
yarn.lock file resolves to 3.18.3
common/temp/proj1/package.json contains

 "resolutions": {
    "**/z-schema": "3.18.3"
  }

That resolutions are never making into common/temp/package.json because of the reasons I've described earlier.

It's been quite a while since initial PR and I'm struggling to recall why even having that within package were making sense 😂

[iclanton]

The yarn.lock file you linked to is the one I generated by just running yarn install in /proj1. The yarn.lock file produced by this PR is here. Notice that z-schema is resolved to version 3.18.4 in that yarn.lock file.

[MasterLambaster]

Notice that z-schema is resolved to version 3.18.4 in that yarn.lock file.

That's absolutely correct. In order to support that I need collect all resolutions from project package.json files and put into common/temp/package.json file. That imply some conflict resolution or at least warning system for that purposes.

Do you want me to restore this functionality?
Is it enough to start with the warnings if there are conflicts with different resolution instructions or just do general case to begin with?

[iclanton]

Do you want me to restore this functionality?

That behavior will probably produce undesired results.

Perhaps I'm confused here. Can you provide a Rush repo where the a project's "resolutions" field changes something when running rush update with the version of Rush in this PR?

[MasterLambaster]

So, I've took a deeper look and tired to recall all circumstances.
The current PR have just some if none utility.
This code change only copying resolutions into projects package.json files that are placed into the project tarball. The aggregated package.json(common/temp/package.json) does not use any of those files and is generated by combining all dependencies from all packages.
I.e this PR has no effect on common/config/rush/yarn.lock which is desired outcome.

Having that said I can think of following possible solutions:

• Add new rush/yarn specific field that'll control global rush resolutions
  CONS: Specific field that might not meet package.json schema. Does not save from conflicts. Details are hidden within package and might be hard to find
• Automatically combine all resolutions and put those into global package.json
  CONS: Quite complex conflict resolution system if any, otherwise can lead to unexpected errors
• Add resolutions section to yarnOptions section in rush.json
  CONS: Can duplicate and force-overwrite resolutions inside packages that can have some minor side effects as well.

@iclanton do you see any other places that we can use to configure resolutions explicitly?

[liyikun]

When will it be merged? @octogonz

[octogonz]

@liyikun Lemme figure out what's up. For future reference, if a PR is getting overlooked, please let us know in the #contributor-helpline chat room.

[D4N14L]

Should be a Map<string, string> to match what others are doing

[D4N14L]

Or I guess, Map<string, PackageJsonDependency> if this matches a version specifier format?

[octogonz]

@D4N14L I agree that we should make this a complete PackageJsonEditor API rather than just a way to pass the options along. A config-file-with-data is generally preferable to a script-with-code, so for everyday problems, resolutions is actually a better design than pnpmfile.js. (Although pnpmfile.js is still a good feature for advanced problems.)

I thought about adapting the PNPM shim to apply resolutions for PNPM. But it turns out that PNPM later implemented this same feature, but they call it overrides. (pnpm/pnpm#2946) Docs are here. In the issue pnpm/pnpm#1221 they point out that NPM reinvented the same feature in their "overrides" RFC but with some differences in its design. So all 3 package managers implement this feature in slightly different ways, all using different package.json fields.

We should support PNPM overrides and recommend it over pnpmfile.js. But that's not part of this PR. (I opened #2698 to track it)

[octogonz]

Fixed

[D4N14L]

ReadonlyArray<PackageJsonDependency> if that type can be supported, otherwise return the a readonly object

[octogonz]

The structure is Record<string, string> basically the same as "dependencies" and "devDependenices", with the only difference being that the name can include glob-like patterns. I think we can model it the same way.

[octogonz]

Fixed

[octogonz]

@D4N14L I have addressed your feedback

[D4N14L]

Approving to avoid blocking but comment needs to be addressed before merge

[octogonz]

I tested this in a Rush repo with Yarn and confirmed that "resolutions" is copied to the common/temp/projects/*/package.json files.

I also tested the error message for PNPM repos, but found that it is only printed with useWorkspaces=fase. Lemme see if we can fix that.

addressed

[octogonz]

Released with Rush 5.47.0