[lockfile-explorer] Add version validation capability (reopened)

apps/lockfile-explorer/bin/lockfile-explorer

@@ -1,2 +1,2 @@
 #!/usr/bin/env node
-require('../lib/start.js');
+require('../lib/start-explorer.js');

apps/lockfile-explorer/bin/lockfile-lint

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require('../lib/start-lint.js');

apps/lockfile-explorer/package.json

@@ -26,7 +26,9 @@
   "license": "MIT",
   "bin": {
     "lockfile-explorer": "./bin/lockfile-explorer",
-    "lfx": "./bin/lockfile-explorer"
+    "lfx": "./bin/lockfile-explorer",
+    "lockfile-lint": "./bin/lockfile-lint",
+    "lflint": "./bin/lockfile-lint"
   },
   "scripts": {
     "build": "heft build --clean",
@@ -52,7 +54,9 @@
     "@types/js-yaml": "3.12.1",
     "@types/update-notifier": "~6.0.1",
     "local-node-rig": "workspace:*",
-    "@pnpm/lockfile-types": "~6.0.0"
+    "@pnpm/lockfile-types": "^5.1.5",
+    "@types/yargs": "~17.0.32",
+    "@types/semver": "7.5.0"
   },
   "dependencies": {
     "@microsoft/rush-lib": "workspace:*",
@@ -63,6 +67,8 @@
     "js-yaml": "~3.13.1",
     "open": "~8.4.0",
     "update-notifier": "~5.1.0",
-    "@pnpm/dependency-path": "~2.1.2"
+    "@pnpm/dependency-path": "~2.1.2",
+    "yargs": "~17.7.2",
+    "semver": "~7.5.4"
   }
 }

apps/lockfile-explorer/src/commands/init.ts

@@ -0,0 +1,46 @@
+// Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
+// See LICENSE in the project root for license information.
+
+import { RushConfiguration } from '@microsoft/rush-lib';
+import { FileSystem } from '@rushstack/node-core-library';
+import { Colorize } from '@rushstack/terminal';
+import type { CommandModule } from 'yargs';
+import * as path from 'path';
+import { LockfileExplorerConfig } from '../constants/common';
+
+// Example usage: lflint init
+// Example usage: lockfile-lint init
+export const initCommand: CommandModule = {
+  command: 'init',
+  describe: `Create ${LockfileExplorerConfig.FileName} config file`,
+  handler: () => {
+    try {
+      const rushConfiguration: RushConfiguration | undefined = RushConfiguration.tryLoadFromDefaultLocation();
+      if (!rushConfiguration) {
+        throw new Error(
+          'The "lockfile-explorer check" must be executed in a folder that is under a Rush workspace folder'
+        );
+      }
+      const inputFilePath: string = path.resolve(__dirname, '../schemas/lockfile-lint-template.json');
+      const outputFilePath: string = path.resolve(
+        rushConfiguration.commonLockfileExplorerConfigFolder,
+        LockfileExplorerConfig.FileName
+      );
+
+      if (FileSystem.exists(outputFilePath)) {
+        console.log(Colorize.red('The output file already exists:'));
+        console.log('\n  ' + outputFilePath + '\n');
+        throw new Error('Unable to write output file');
+      }
+
+      console.log(Colorize.green('Writing file: ') + outputFilePath);
+      FileSystem.copyFile({
+        sourcePath: inputFilePath,
+        destinationPath: outputFilePath
+      });
+    } catch (error) {
+      console.error(Colorize.red('ERROR: ' + error.message));
+      process.exit(1);
+    }
+  }
+};

apps/lockfile-explorer/src/commands/lint.ts

@@ -0,0 +1,167 @@
+// Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
+// See LICENSE in the project root for license information.
+
+import type { Lockfile, LockfileV6 } from '@pnpm/lockfile-types';
+import path from 'path';
+import yaml from 'js-yaml';
+import { RushConfiguration } from '@microsoft/rush-lib/lib/api/RushConfiguration';
+import type { Subspace } from '@microsoft/rush-lib/lib/api/Subspace';
+import type { RushConfigurationProject } from '@microsoft/rush-lib/lib/api/RushConfigurationProject';
+import { FileSystem, JsonFile, JsonSchema } from '@rushstack/node-core-library';
+import type { CommandModule } from 'yargs';
+import { Colorize } from '@rushstack/terminal';
+import semver from 'semver';
+
+import lockfileLintSchema from '../schemas/lockfile-lint.schema.json';
+import { getShrinkwrapFileMajorVersion, parseDependencyPath } from '../utils/shrinkwrap';
+import { LockfileExplorerConfig } from '../constants/common';
+
+export interface ILintRule {
+  rule: 'restrict-versions';
+  project: string;
+  requiredVersions: Record<string, string>;
+}
+
+export interface ILockfileLint {
+  rules: ILintRule[];
+}
+
+async function checkVersionCompatibility(
+  shrinkwrapFileMajorVersion: number,
+  packages: Lockfile['packages'],
+  dependencyPath: string,
+  requiredVersions: Record<string, string>,
+  checkedDependencyPaths: Set<string>
+): Promise<void> {
+  if (packages && packages[dependencyPath] && !checkedDependencyPaths.has(dependencyPath)) {
+    checkedDependencyPaths.add(dependencyPath);
+    const { name, version } = parseDependencyPath(shrinkwrapFileMajorVersion, dependencyPath);
+    if (name in requiredVersions && !semver.satisfies(version, requiredVersions[name])) {
+      throw new Error(`ERROR: Detected inconsistent version numbers in package '${name}': '${version}'!`);
+    }
+
+    for (const [dependencyPackageName, dependencyPackageVersion] of Object.entries(
+      packages[dependencyPath].dependencies ?? {}
+    )) {
+      await checkVersionCompatibility(
+        shrinkwrapFileMajorVersion,
+        packages,
+        `/${dependencyPackageName}${shrinkwrapFileMajorVersion === 6 ? '@' : '/'}${dependencyPackageVersion}`,
+        requiredVersions,
+        checkedDependencyPaths
+      );
+    }
+  }
+}
+
+async function searchAndValidateDependencies(
+  rushConfiguration: RushConfiguration,
+  checkedProjects: Set<RushConfigurationProject>,
+  project: RushConfigurationProject,
+  requiredVersions: Record<string, string>
+): Promise<void> {
+  console.log(`Checking the project: ${project.packageName}.`);
+
+  const projectFolder: string | undefined = project.projectFolder;
+  const subspace: Subspace | undefined = project.subspace;
+  if (subspace && projectFolder) {
+    const shrinkwrapFilename: string = subspace.getCommittedShrinkwrapFilename();
+    const pnpmLockfileText: string = await FileSystem.readFileAsync(shrinkwrapFilename);
+    const doc = yaml.load(pnpmLockfileText) as Lockfile | LockfileV6;
+    const { importers, lockfileVersion, packages } = doc;
+    const shrinkwrapFileMajorVersion: number = getShrinkwrapFileMajorVersion(lockfileVersion);
+    const checkedDependencyPaths: Set<string> = new Set<string>();
+    for (const [relativePath, { dependencies }] of Object.entries(importers)) {
+      if (path.resolve(projectFolder, relativePath) === projectFolder) {
+        const dependenciesEntries = Object.entries(dependencies ?? {});
+        for (const [dependencyName, dependencyValue] of dependenciesEntries) {
+          const fullDependencyPath = `/${dependencyName}${shrinkwrapFileMajorVersion === 6 ? '@' : '/'}${
+            typeof dependencyValue === 'string'
+              ? dependencyValue
+              : (
+                  dependencyValue as {
+                    version: string;
+                    specifier: string;
+                  }
+                ).version
+          }`;
+          if (fullDependencyPath.includes('link:')) {
+            const dependencyProject: RushConfigurationProject | undefined =
+              rushConfiguration.getProjectByName(dependencyName);
+            if (dependencyProject && !checkedProjects.has(dependencyProject)) {
+              checkedProjects.add(project);
+              await searchAndValidateDependencies(
+                rushConfiguration,
+                checkedProjects,
+                dependencyProject,
+                requiredVersions
+              );
+            }
+          } else {
+            await checkVersionCompatibility(
+              shrinkwrapFileMajorVersion,
+              packages,
+              fullDependencyPath,
+              requiredVersions,
+              checkedDependencyPaths
+            );
+          }
+        }
+      }
+    }
+  }
+}
+
+async function performVersionRestrictionCheck(
+  rushConfiguration: RushConfiguration,
+  requiredVersions: Record<string, string>,
+  projectName: string
+): Promise<void> {
+  const project: RushConfigurationProject | undefined = rushConfiguration?.getProjectByName(projectName);
+  if (!project) {
+    throw new Error(`Cannot found project name: ${projectName}`);
+  }
+  const checkedProjects: Set<RushConfigurationProject> = new Set<RushConfigurationProject>([project]);
+  await searchAndValidateDependencies(rushConfiguration, checkedProjects, project, requiredVersions);
+}
+
+// Example usage: lflint
+// Example usage: lockfile-lint
+export const lintCommand: CommandModule = {
+  command: '$0',
+  describe: 'Check if the specified package has a inconsistent package versions in target project',
+  // eslint-disable-next-line @typescript-eslint/naming-convention
+  handler: async () => {
+    try {
+      const rushConfiguration: RushConfiguration | undefined = RushConfiguration.tryLoadFromDefaultLocation();
+      if (!rushConfiguration) {
+        throw new Error(
+          'The "lockfile-explorer check" must be executed in a folder that is under a Rush workspace folder'
+        );
+      }
+      const lintingFile: string = path.resolve(
+        rushConfiguration.commonLockfileExplorerConfigFolder,
+        LockfileExplorerConfig.FileName
+      );
+      const { rules }: ILockfileLint = JsonFile.loadAndValidate(
+        lintingFile,
+        JsonSchema.fromLoadedObject(lockfileLintSchema)
+      );
+      for (const { requiredVersions, project, rule } of rules) {
+        switch (rule) {
+          case 'restrict-versions': {
+            await performVersionRestrictionCheck(rushConfiguration, requiredVersions, project);
+            break;
+          }
+          default: {
+            throw new Error('Unsupported rule name: ' + rule);
+          }
+        }
+      }
+      console.log(Colorize.green('Check passed!'));
+    } catch (error) {
+      console.error(Colorize.red('ERROR: ' + error.message));
+      process.exit(1);
+    }
+  }
+};