@openrewrite/rewrite 8.70.2 → 8.70.4

package/src/javascript/package-manager.ts

@@ -19,8 +19,7 @@ import {
     findNodeResolutionResult,
     PackageJsonContent,
     PackageLockContent,
-    PackageManager,
-    readNpmrcConfigs
+    PackageManager
 } from "./node-resolution-result";
 import {replaceMarkerByKind} from "../markers";
 import {Json, JsonParser, JsonVisitor} from "../json";
@@ -59,35 +58,37 @@ interface PackageManagerConfig {
 const PACKAGE_MANAGER_CONFIGS: Record<PackageManager, PackageManagerConfig> = {
     [PackageManager.Npm]: {
         lockFile: 'package-lock.json',
-        installLockOnlyCommand: ['npm', 'install', '--package-lock-only'],
-        installCommand: ['npm', 'install'],
+        // --ignore-scripts prevents prepublish/prepare scripts from running in temp directory
+        installLockOnlyCommand: ['npm', 'install', '--package-lock-only', '--ignore-scripts'],
+        installCommand: ['npm', 'install', '--ignore-scripts'],
         listCommand: ['npm', 'list', '--json', '--all'],
     },
     [PackageManager.YarnClassic]: {
         lockFile: 'yarn.lock',
-        // Yarn Classic doesn't have a lock-only mode
+        // Yarn Classic doesn't have a lock-only mode; --ignore-scripts prevents lifecycle scripts
         installLockOnlyCommand: ['yarn', 'install', '--ignore-scripts'],
-        installCommand: ['yarn', 'install'],
+        installCommand: ['yarn', 'install', '--ignore-scripts'],
         listCommand: ['yarn', 'list', '--json'],
     },
     [PackageManager.YarnBerry]: {
         lockFile: 'yarn.lock',
-        // Yarn Berry's mode skip-build skips post-install scripts
+        // --mode skip-build skips post-install scripts in Yarn Berry
         installLockOnlyCommand: ['yarn', 'install', '--mode', 'skip-build'],
-        installCommand: ['yarn', 'install'],
+        installCommand: ['yarn', 'install', '--mode', 'skip-build'],
         listCommand: ['yarn', 'info', '--all', '--json'],
     },
     [PackageManager.Pnpm]: {
         lockFile: 'pnpm-lock.yaml',
-        installLockOnlyCommand: ['pnpm', 'install', '--lockfile-only'],
-        installCommand: ['pnpm', 'install'],
+        // --ignore-scripts prevents lifecycle scripts from running in temp directory
+        installLockOnlyCommand: ['pnpm', 'install', '--lockfile-only', '--ignore-scripts'],
+        installCommand: ['pnpm', 'install', '--ignore-scripts'],
         listCommand: ['pnpm', 'list', '--json', '--depth=Infinity'],
     },
     [PackageManager.Bun]: {
         lockFile: 'bun.lock',
-        // Bun doesn't have a lock-only mode, but is very fast anyway
+        // Bun doesn't have a lock-only mode; --ignore-scripts prevents lifecycle scripts
         installLockOnlyCommand: ['bun', 'install', '--ignore-scripts'],
-        installCommand: ['bun', 'install'],
+        installCommand: ['bun', 'install', '--ignore-scripts'],
     },
 };
 
@@ -447,8 +448,6 @@ export async function parseLockFileContent(
  * Recipes extend this with additional fields specific to their needs.
  */
 export interface BaseProjectUpdateInfo {
-    /** Absolute path to the project directory */
-    projectDir: string;
     /** Relative path to package.json (from source root) */
     packageJsonPath: string;
     /** The package manager used by this project */
@@ -559,17 +558,15 @@ export async function updateNodeResolutionMarker<T extends BaseProjectUpdateInfo
         }
     }
 
-    // Read npmrc configs from the project directory
-    const npmrcConfigs = await readNpmrcConfigs(updateInfo.projectDir);
-
-    // Create new marker
+    // Create new marker, preserving existing npmrc configs from the parser
+    // (recipes don't have filesystem access to re-read them)
     const newMarker = createNodeResolutionResultMarker(
         existingMarker.path,
         packageJsonContent,
         lockContent,
         existingMarker.workspacePackagePaths,
         existingMarker.packageManager,
-        npmrcConfigs.length > 0 ? npmrcConfigs : undefined
+        existingMarker.npmrcConfigs
     );
 
     // Replace the marker in the document
@@ -591,52 +588,72 @@ export interface TempInstallOptions {
      * Default: true (lock-only is faster and sufficient for most cases)
      */
     lockOnly?: boolean;
+    /**
+     * Original lock file content to use. If provided, this content will be written
+     * to the temp directory instead of copying from projectDir.
+     * This allows recipes to work with in-memory SourceFiles without filesystem access.
+     */
+    originalLockFileContent?: string;
+    /**
+     * Config file contents to use. Keys are filenames (e.g., '.npmrc'), values are content.
+     * If provided, these will be written to the temp directory instead of copying from projectDir.
+     */
+    configFiles?: Record<string, string>;
 }
 
 /**
- * Runs package manager install in a temporary directory.
- *
- * This function:
- * 1. Creates a temp directory
- * 2. Writes the provided package.json content
- * 3. Copies the existing lock file (if present)
- * 4. Copies config files (.npmrc, .yarnrc, etc.)
- * 5. Runs the package manager install
- * 6. Returns the updated lock file content
- * 7. Cleans up the temp directory
- *
- * @param projectDir The original project directory (for copying lock file and configs)
- * @param pm The package manager to use
- * @param modifiedPackageJson The modified package.json content to use
- * @param options Optional settings for timeout and lock-only mode
- * @returns Result containing success status and lock file content or error
+ * Options for running install in a temporary directory with workspace support.
  */
-export async function runInstallInTempDir(
-    projectDir: string,
+export interface WorkspaceTempInstallOptions extends TempInstallOptions {
+    /**
+     * Workspace package.json files. Keys are relative paths from the project root
+     * (e.g., "packages/foo/package.json"), values are the package.json content.
+     * The root package.json should have a "workspaces" field pointing to these packages.
+     */
+    workspacePackages?: Record<string, string>;
+}
+
+/**
+ * Internal implementation for running package manager install in a temporary directory.
+ * Supports both simple projects and workspaces.
+ */
+async function runInstallInTempDirCore(
     pm: PackageManager,
-    modifiedPackageJson: string,
-    options: TempInstallOptions = {}
+    rootPackageJson: string,
+    options: WorkspaceTempInstallOptions = {}
 ): Promise<TempInstallResult> {
-    const {timeout = 120000, lockOnly = true} = options;
+    const {
+        timeout = 120000,
+        lockOnly = true,
+        originalLockFileContent,
+        configFiles: configFileContents,
+        workspacePackages
+    } = options;
     const lockFileName = getLockFileName(pm);
     const tempDir = await fsp.mkdtemp(path.join(os.tmpdir(), 'openrewrite-pm-'));
 
     try {
-        // Write modified package.json to temp directory
-        await fsp.writeFile(path.join(tempDir, 'package.json'), modifiedPackageJson);
+        // Write root package.json to temp directory
+        await fsp.writeFile(path.join(tempDir, 'package.json'), rootPackageJson);
+
+        // Write workspace package.json files (creating subdirectories as needed)
+        if (workspacePackages) {
+            for (const [relativePath, content] of Object.entries(workspacePackages)) {
+                const fullPath = path.join(tempDir, relativePath);
+                await fsp.mkdir(path.dirname(fullPath), {recursive: true});
+                await fsp.writeFile(fullPath, content);
+            }
+        }
 
-        // Copy existing lock file if present
-        const originalLockPath = path.join(projectDir, lockFileName);
-        if (fs.existsSync(originalLockPath)) {
-            await fsp.copyFile(originalLockPath, path.join(tempDir, lockFileName));
+        // Write lock file if provided
+        if (originalLockFileContent !== undefined) {
+            await fsp.writeFile(path.join(tempDir, lockFileName), originalLockFileContent);
         }
 
-        // Copy config files if present (for registry configuration and workspace setup)
-        const configFiles = ['.npmrc', '.yarnrc', '.yarnrc.yml', '.pnpmfile.cjs', 'pnpm-workspace.yaml'];
-        for (const configFile of configFiles) {
-            const configPath = path.join(projectDir, configFile);
-            if (fs.existsSync(configPath)) {
-                await fsp.copyFile(configPath, path.join(tempDir, configFile));
+        // Write config files if provided
+        if (configFileContents) {
+            for (const [configFile, content] of Object.entries(configFileContents)) {
+                await fsp.writeFile(path.join(tempDir, configFile), content);
             }
         }
 
@@ -688,6 +705,57 @@ export async function runInstallInTempDir(
     }
 }
 
+/**
+ * Runs package manager install in a temporary directory.
+ *
+ * This function:
+ * 1. Creates a temp directory
+ * 2. Writes the provided package.json content
+ * 3. Writes the lock file content (if provided)
+ * 4. Writes config files (if provided)
+ * 5. Runs the package manager install
+ * 6. Returns the updated lock file content
+ * 7. Cleans up the temp directory
+ *
+ * @param pm The package manager to use
+ * @param modifiedPackageJson The modified package.json content to use
+ * @param options Optional settings for timeout, lock-only mode, and file contents
+ * @returns Result containing success status and lock file content or error
+ */
+export async function runInstallInTempDir(
+    pm: PackageManager,
+    modifiedPackageJson: string,
+    options: TempInstallOptions = {}
+): Promise<TempInstallResult> {
+    return runInstallInTempDirCore(pm, modifiedPackageJson, options);
+}
+
+/**
+ * Runs package manager install in a temporary directory with workspace support.
+ *
+ * This function:
+ * 1. Creates a temp directory
+ * 2. Writes the root package.json content
+ * 3. Writes workspace package.json files (creating subdirectories as needed)
+ * 4. Writes the lock file content (if provided)
+ * 5. Writes config files (if provided)
+ * 6. Runs the package manager install at the root
+ * 7. Returns the updated lock file content
+ * 8. Cleans up the temp directory
+ *
+ * @param pm The package manager to use
+ * @param rootPackageJson The root package.json content (should contain "workspaces" field)
+ * @param options Optional settings including workspace packages, timeout, lock-only mode, and file contents
+ * @returns Result containing success status and lock file content or error
+ */
+export async function runWorkspaceInstallInTempDir(
+    pm: PackageManager,
+    rootPackageJson: string,
+    options: WorkspaceTempInstallOptions = {}
+): Promise<TempInstallResult> {
+    return runInstallInTempDirCore(pm, rootPackageJson, options);
+}
+
 /**
  * Creates a lock file visitor that handles updating YAML lock files (pnpm-lock.yaml).
  * This is a reusable component for dependency recipes.

package/src/javascript/project-parser.ts

@@ -77,6 +77,13 @@ export interface ProjectParserOptions {
      * If not provided, all discovered files are parsed.
      */
     fileFilter?: (absolutePath: string) => boolean;
+
+    /**
+     * Optional path to make source file paths relative to.
+     * If not specified, paths are relative to projectPath.
+     * Use this when parsing a subdirectory but wanting paths relative to the repository root.
+     */
+    relativeTo?: string;
 }
 
 /**
@@ -153,6 +160,7 @@ const TEXT_CONFIG_FILES = new Set([
  */
 export class ProjectParser {
     private readonly projectPath: string;
+    private readonly relativeTo: string;
     private readonly exclusions: string[];
     private readonly ctx: ExecutionContext;
     private readonly useGit: boolean;
@@ -162,6 +170,7 @@ export class ProjectParser {
 
     constructor(projectPath: string, options: ProjectParserOptions = {}) {
         this.projectPath = path.resolve(projectPath);
+        this.relativeTo = options.relativeTo ? path.resolve(options.relativeTo) : this.projectPath;
         this.exclusions = options.exclusions ?? DEFAULT_EXCLUSIONS;
         this.ctx = options.ctx ?? new ExecutionContext();
         this.useGit = options.useGit ?? this.isGitRepository();
@@ -230,7 +239,7 @@ export class ProjectParser {
             this.log(`Parsing ${discovered.packageJsonFiles.length} package.json files...`);
             const parser = Parsers.createParser("packageJson", {
                 ctx: this.ctx,
-                relativeTo: this.projectPath
+                relativeTo: this.relativeTo
             });
             for await (const sf of parser.parse(...discovered.packageJsonFiles)) {
                 current++;
@@ -244,7 +253,7 @@ export class ProjectParser {
             this.log(`Parsing ${discovered.lockFiles.json.length} JSON lock files...`);
             const parser = Parsers.createParser("json", {
                 ctx: this.ctx,
-                relativeTo: this.projectPath
+                relativeTo: this.relativeTo
             });
             for await (const sf of parser.parse(...discovered.lockFiles.json)) {
                 current++;
@@ -258,7 +267,7 @@ export class ProjectParser {
             this.log(`Parsing ${discovered.lockFiles.yaml.length} YAML lock files...`);
             const parser = Parsers.createParser("yaml", {
                 ctx: this.ctx,
-                relativeTo: this.projectPath
+                relativeTo: this.relativeTo
             });
             for await (const sf of parser.parse(...discovered.lockFiles.yaml)) {
                 current++;
@@ -272,7 +281,7 @@ export class ProjectParser {
             this.log(`Parsing ${discovered.lockFiles.text.length} text lock files...`);
             const parser = Parsers.createParser("plainText", {
                 ctx: this.ctx,
-                relativeTo: this.projectPath
+                relativeTo: this.relativeTo
             });
             for await (const sf of parser.parse(...discovered.lockFiles.text)) {
                 current++;
@@ -286,7 +295,7 @@ export class ProjectParser {
             this.log(`Parsing ${discovered.jsFiles.length} JavaScript/TypeScript files...`);
             const parser = Parsers.createParser("javascript", {
                 ctx: this.ctx,
-                relativeTo: this.projectPath
+                relativeTo: this.relativeTo
             });
 
             // Check if Prettier is available
@@ -299,7 +308,7 @@ export class ProjectParser {
                     this.onProgress?.("parsing", current, totalFiles, sf.sourcePath);
 
                     const prettierMarker = await prettierLoader.getConfigMarker(
-                        path.join(this.projectPath, sf.sourcePath)
+                        path.join(this.relativeTo, sf.sourcePath)
                     );
                     if (prettierMarker) {
                         yield produce(sf, draft => {
@@ -352,7 +361,7 @@ export class ProjectParser {
             this.log(`Parsing ${discovered.yamlFiles.length} YAML files...`);
             const parser = Parsers.createParser("yaml", {
                 ctx: this.ctx,
-                relativeTo: this.projectPath
+                relativeTo: this.relativeTo
             });
             for await (const sf of parser.parse(...discovered.yamlFiles)) {
                 current++;
@@ -366,7 +375,7 @@ export class ProjectParser {
             this.log(`Parsing ${discovered.jsonFiles.length} JSON files...`);
             const parser = Parsers.createParser("json", {
                 ctx: this.ctx,
-                relativeTo: this.projectPath
+                relativeTo: this.relativeTo
             });
             for await (const sf of parser.parse(...discovered.jsonFiles)) {
                 current++;
@@ -380,7 +389,7 @@ export class ProjectParser {
             this.log(`Parsing ${discovered.textFiles.length} text config files...`);
             const parser = Parsers.createParser("plainText", {
                 ctx: this.ctx,
-                relativeTo: this.projectPath
+                relativeTo: this.relativeTo
             });
             for await (const sf of parser.parse(...discovered.textFiles)) {
                 current++;

package/src/javascript/recipes/add-dependency.ts

@@ -17,11 +17,15 @@
 import {Option, ScanningRecipe} from "../../recipe";
 import {ExecutionContext} from "../../execution";
 import {TreeVisitor} from "../../visitor";
-import {detectIndent, getMemberKeyName, isObject, Json, JsonVisitor, rightPadded, space} from "../../json";
+import {Tree} from "../../tree";
+import {detectIndent, getMemberKeyName, isJson, isObject, Json, JsonVisitor, rightPadded, space} from "../../json";
+import {isDocuments, isYaml, Yaml} from "../../yaml";
+import {isPlainText, PlainText} from "../../text";
 import {
     allDependencyScopes,
     DependencyScope,
     findNodeResolutionResult,
+    NpmrcScope,
     PackageManager
 } from "../node-resolution-result";
 import {emptyMarkers, markupWarn} from "../../markers";
@@ -31,6 +35,7 @@ import {
     createLockFileEditor,
     DependencyRecipeAccumulator,
     getAllLockFileNames,
+    getLockFileName,
     parseLockFileContent,
     runInstallIfNeeded,
     runInstallInTempDir,
@@ -44,8 +49,6 @@ import * as path from "path";
  * Information about a project that needs updating
  */
 interface ProjectUpdateInfo {
-    /** Absolute path to the project directory */
-    projectDir: string;
     /** Relative path to package.json (from source root) */
     packageJsonPath: string;
     /** Original package.json content */
@@ -56,9 +59,14 @@ interface ProjectUpdateInfo {
     newVersion: string;
     /** The package manager used by this project */
     packageManager: PackageManager;
+    /** Config file contents extracted from the project (e.g., .npmrc) */
+    configFiles?: Record<string, string>;
 }
 
-type Accumulator = DependencyRecipeAccumulator<ProjectUpdateInfo>;
+interface Accumulator extends DependencyRecipeAccumulator<ProjectUpdateInfo> {
+    /** Original lock file content, keyed by lock file path */
+    originalLockFiles: Map<string, string>;
+}
 
 /**
  * Adds a new dependency to package.json and updates the lock file.
@@ -100,7 +108,10 @@ export class AddDependency extends ScanningRecipe<Accumulator> {
     scope?: DependencyScope;
 
     initialValue(_ctx: ExecutionContext): Accumulator {
-        return createDependencyRecipeAccumulator();
+        return {
+            ...createDependencyRecipeAccumulator<ProjectUpdateInfo>(),
+            originalLockFiles: new Map()
+        };
     }
 
     private getTargetScope(): DependencyScope {
@@ -109,10 +120,38 @@ export class AddDependency extends ScanningRecipe<Accumulator> {
 
     async scanner(acc: Accumulator): Promise<TreeVisitor<any, ExecutionContext>> {
         const recipe = this;
+        const LOCK_FILE_NAMES = getAllLockFileNames();
+
+        return new class extends TreeVisitor<Tree, ExecutionContext> {
+            protected async accept(tree: Tree, ctx: ExecutionContext): Promise<Tree | undefined> {
+                // Handle JSON documents (package.json and JSON lock files)
+                if (isJson(tree) && tree.kind === Json.Kind.Document) {
+                    return this.handleJsonDocument(tree as Json.Document, ctx);
+                }
+
+                // Handle YAML documents (pnpm-lock.yaml)
+                if (isYaml(tree) && isDocuments(tree)) {
+                    return this.handleYamlDocument(tree, ctx);
+                }
+
+                // Handle PlainText files (yarn.lock for Yarn Classic)
+                if (isPlainText(tree)) {
+                    return this.handlePlainTextDocument(tree as PlainText, ctx);
+                }
+
+                return tree;
+            }
+
+            private async handleJsonDocument(doc: Json.Document, _ctx: ExecutionContext): Promise<Json | undefined> {
+                const basename = path.basename(doc.sourcePath);
 
-        return new class extends JsonVisitor<ExecutionContext> {
-            protected async visitDocument(doc: Json.Document, _ctx: ExecutionContext): Promise<Json | undefined> {
-                // Only process package.json files
+                // Capture JSON lock file content (package-lock.json, bun.lock)
+                if (LOCK_FILE_NAMES.includes(basename)) {
+                    acc.originalLockFiles.set(doc.sourcePath, await TreePrinters.print(doc));
+                    return doc;
+                }
+
+                // Only process package.json files for dependency analysis
                 if (!doc.sourcePath.endsWith('package.json')) {
                     return doc;
                 }
@@ -131,24 +170,43 @@ export class AddDependency extends ScanningRecipe<Accumulator> {
                     }
                 }
 
-                // Get the project directory and package manager
-                const projectDir = path.dirname(path.resolve(doc.sourcePath));
                 const pm = marker.packageManager ?? PackageManager.Npm;
 
+                // Extract project-level .npmrc config from marker
+                const configFiles: Record<string, string> = {};
+                const projectNpmrc = marker.npmrcConfigs?.find(c => c.scope === NpmrcScope.Project);
+                if (projectNpmrc) {
+                    const lines = Object.entries(projectNpmrc.properties)
+                        .map(([key, value]) => `${key}=${value}`);
+                    configFiles['.npmrc'] = lines.join('\n');
+                }
+
                 acc.projectsToUpdate.set(doc.sourcePath, {
-                    projectDir,
                     packageJsonPath: doc.sourcePath,
-                    originalPackageJson: await this.printDocument(doc),
+                    originalPackageJson: await TreePrinters.print(doc),
                     dependencyScope: recipe.getTargetScope(),
                     newVersion: recipe.version,
-                    packageManager: pm
+                    packageManager: pm,
+                    configFiles: Object.keys(configFiles).length > 0 ? configFiles : undefined
                 });
 
                 return doc;
             }
 
-            private async printDocument(doc: Json.Document): Promise<string> {
-                return TreePrinters.print(doc);
+            private async handleYamlDocument(docs: Yaml.Documents, _ctx: ExecutionContext): Promise<Yaml.Documents | undefined> {
+                const basename = path.basename(docs.sourcePath);
+                if (LOCK_FILE_NAMES.includes(basename)) {
+                    acc.originalLockFiles.set(docs.sourcePath, await TreePrinters.print(docs));
+                }
+                return docs;
+            }
+
+            private async handlePlainTextDocument(text: PlainText, _ctx: ExecutionContext): Promise<PlainText | undefined> {
+                const basename = path.basename(text.sourcePath);
+                if (LOCK_FILE_NAMES.includes(basename)) {
+                    acc.originalLockFiles.set(text.sourcePath, await TreePrinters.print(text));
+                }
+                return text;
             }
         };
     }
@@ -217,6 +275,7 @@ export class AddDependency extends ScanningRecipe<Accumulator> {
 
     /**
      * Runs the package manager in a temporary directory to update the lock file.
+     * All file contents are provided from in-memory sources (SourceFiles), not read from disk.
      */
     private async runPackageManagerInstall(
         acc: Accumulator,
@@ -229,10 +288,23 @@ export class AddDependency extends ScanningRecipe<Accumulator> {
             updateInfo.dependencyScope
         );
 
+        // Get the lock file path based on package manager
+        const lockFileName = getLockFileName(updateInfo.packageManager);
+        const packageJsonDir = path.dirname(updateInfo.packageJsonPath);
+        const lockFilePath = packageJsonDir === '.'
+            ? lockFileName
+            : path.join(packageJsonDir, lockFileName);
+
+        // Look up the original lock file content from captured SourceFiles
+        const originalLockFileContent = acc.originalLockFiles.get(lockFilePath);
+
         const result = await runInstallInTempDir(
-            updateInfo.projectDir,
             updateInfo.packageManager,
-            modifiedPackageJson
+            modifiedPackageJson,
+            {
+                originalLockFileContent,
+                configFiles: updateInfo.configFiles
+            }
         );
 
         storeInstallResult(result, acc, updateInfo, modifiedPackageJson);