workspace-tools 0.18.1 → 0.18.4

package/CHANGELOG.json

@@ -2,7 +2,52 @@
   "name": "workspace-tools",
   "entries": [
     {
-      "date": "Fri, 07 Jan 2022 17:07:14 GMT",
+      "date": "Wed, 20 Apr 2022 16:48:59 GMT",
+      "tag": "workspace-tools_v0.18.4",
+      "version": "0.18.4",
+      "comments": {
+        "patch": [
+          {
+            "author": "kchau@microsoft.com",
+            "package": "workspace-tools",
+            "comment": "fixes a potential security issue where fetch --upload-pack can allow for command injection",
+            "commit": "9bc7e65ce497f87e1f363fd47b8f802f3d3cd978"
+          }
+        ]
+      }
+    },
+    {
+      "date": "Sat, 09 Apr 2022 15:51:14 GMT",
+      "tag": "workspace-tools_v0.18.3",
+      "version": "0.18.3",
+      "comments": {
+        "patch": [
+          {
+            "author": "4123478+tido64@users.noreply.github.com",
+            "package": "workspace-tools",
+            "comment": "Fix Rush not being detected correctly. When Rush is set up to use Yarn or pnpm, the lock file for the latter are found first.",
+            "commit": "b99f6f82a6f22da37b67d74b519a204abd631c87"
+          }
+        ]
+      }
+    },
+    {
+      "date": "Fri, 07 Jan 2022 18:15:36 GMT",
+      "tag": "workspace-tools_v0.18.2",
+      "version": "0.18.2",
+      "comments": {
+        "patch": [
+          {
+            "author": "riacarmin@microsoft.com",
+            "package": "workspace-tools",
+            "comment": "Makes the output of parseLockFile for npm v7+ lock file compatible with queryLockFile.",
+            "commit": "caf984c0c569579a316c4cec9808a63a744abb09"
+          }
+        ]
+      }
+    },
+    {
+      "date": "Fri, 07 Jan 2022 17:07:22 GMT",
       "tag": "workspace-tools_v0.18.1",
       "version": "0.18.1",
       "comments": {

package/CHANGELOG.md

@@ -1,12 +1,36 @@
 # Change Log - workspace-tools
 
-This log was last generated on Fri, 07 Jan 2022 17:07:14 GMT and should not be manually modified.
+This log was last generated on Wed, 20 Apr 2022 16:48:59 GMT and should not be manually modified.
 
 <!-- Start content -->
 
+## 0.18.4
+
+Wed, 20 Apr 2022 16:48:59 GMT
+
+### Patches
+
+- fixes a potential security issue where fetch --upload-pack can allow for command injection (kchau@microsoft.com)
+
+## 0.18.3
+
+Sat, 09 Apr 2022 15:51:14 GMT
+
+### Patches
+
+- Fix Rush not being detected correctly. When Rush is set up to use Yarn or pnpm, the lock file for the latter are found first. (4123478+tido64@users.noreply.github.com)
+
+## 0.18.2
+
+Fri, 07 Jan 2022 18:15:36 GMT
+
+### Patches
+
+- Makes the output of parseLockFile for npm v7+ lock file compatible with queryLockFile. (riacarmin@microsoft.com)
+
 ## 0.18.1
 
-Fri, 07 Jan 2022 17:07:14 GMT
+Fri, 07 Jan 2022 17:07:22 GMT
 
 ### Patches
 

package/lib/__tests__/getWorkspaces.test.js

@@ -5,6 +5,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const path_1 = __importDefault(require("path"));
 const setupFixture_1 = require("../helpers/setupFixture");
+const implementations_1 = require("../workspaces/implementations");
 const yarn_1 = require("../workspaces/implementations/yarn");
 const pnpm_1 = require("../workspaces/implementations/pnpm");
 const rush_1 = require("../workspaces/implementations/rush");
@@ -17,6 +18,7 @@ describe("getWorkspaces", () => {
     describe("yarn", () => {
         it("gets the name and path of the workspaces", () => {
             const packageRoot = (0, setupFixture_1.setupFixture)("monorepo");
+            expect((0, implementations_1.getWorkspaceImplementation)(packageRoot, {})).toBe("yarn");
             const workspacesPackageInfo = (0, yarn_1.getYarnWorkspaces)(packageRoot);
             const packageAPath = path_1.default.join(packageRoot, "packages", "package-a");
             const packageBPath = path_1.default.join(packageRoot, "packages", "package-b");
@@ -27,6 +29,7 @@ describe("getWorkspaces", () => {
         });
         it("gets the name and path of the workspaces against a packages spec of an individual package", () => {
             const packageRoot = (0, setupFixture_1.setupFixture)("monorepo-globby");
+            expect((0, implementations_1.getWorkspaceImplementation)(packageRoot, {})).toBe("yarn");
             const workspacesPackageInfo = (0, yarn_1.getYarnWorkspaces)(packageRoot);
             const packageAPath = path_1.default.join(packageRoot, "packages", "package-a");
             const packageBPath = path_1.default.join(packageRoot, "packages", "package-b");
@@ -41,6 +44,7 @@ describe("getWorkspaces", () => {
     describe("pnpm", () => {
         it("gets the name and path of the workspaces", () => {
             const packageRoot = (0, setupFixture_1.setupFixture)("monorepo-pnpm");
+            expect((0, implementations_1.getWorkspaceImplementation)(packageRoot, {})).toBe("pnpm");
             const workspacesPackageInfo = (0, pnpm_1.getPnpmWorkspaces)(packageRoot);
             const packageAPath = path_1.default.join(packageRoot, "packages", "package-a");
             const packageBPath = path_1.default.join(packageRoot, "packages", "package-b");
@@ -50,9 +54,23 @@ describe("getWorkspaces", () => {
             ]);
         });
     });
-    describe("rush", () => {
+    describe("rush + pnpm", () => {
         it("gets the name and path of the workspaces", () => {
             const packageRoot = (0, setupFixture_1.setupFixture)("monorepo-rush-pnpm");
+            expect((0, implementations_1.getWorkspaceImplementation)(packageRoot, {})).toBe("rush");
+            const workspacesPackageInfo = (0, rush_1.getRushWorkspaces)(packageRoot);
+            const packageAPath = path_1.default.join(packageRoot, "packages", "package-a");
+            const packageBPath = path_1.default.join(packageRoot, "packages", "package-b");
+            expect(workspacesPackageInfo).toMatchObject([
+                { name: "package-a", path: packageAPath },
+                { name: "package-b", path: packageBPath },
+            ]);
+        });
+    });
+    describe("rush + yarn", () => {
+        it("gets the name and path of the workspaces", () => {
+            const packageRoot = (0, setupFixture_1.setupFixture)("monorepo-rush-yarn");
+            expect((0, implementations_1.getWorkspaceImplementation)(packageRoot, {})).toBe("rush");
             const workspacesPackageInfo = (0, rush_1.getRushWorkspaces)(packageRoot);
             const packageAPath = path_1.default.join(packageRoot, "packages", "package-a");
             const packageBPath = path_1.default.join(packageRoot, "packages", "package-b");
@@ -65,6 +83,7 @@ describe("getWorkspaces", () => {
     describe("npm", () => {
         it("gets the name and path of the workspaces", () => {
             const packageRoot = (0, setupFixture_1.setupFixture)("monorepo-npm");
+            expect((0, implementations_1.getWorkspaceImplementation)(packageRoot, {})).toBe("npm");
             const workspacesPackageInfo = (0, npm_1.getNpmWorkspaces)(packageRoot);
             const packageAPath = path_1.default.join(packageRoot, "packages", "package-a");
             const packageBPath = path_1.default.join(packageRoot, "packages", "package-b");
@@ -75,6 +94,7 @@ describe("getWorkspaces", () => {
         });
         it("gets the name and path of the workspaces using the shorthand configuration", () => {
             const packageRoot = (0, setupFixture_1.setupFixture)("monorepo-shorthand");
+            expect((0, implementations_1.getWorkspaceImplementation)(packageRoot, {})).toBe("npm");
             const workspacesPackageInfo = (0, npm_1.getNpmWorkspaces)(packageRoot);
             const packageAPath = path_1.default.join(packageRoot, "packages", "package-a");
             const packageBPath = path_1.default.join(packageRoot, "packages", "package-b");
@@ -88,7 +108,8 @@ describe("getWorkspaces", () => {
     });
     describe("lerna", () => {
         it("gets the name and path of the workspaces", async () => {
-            const packageRoot = await (0, setupFixture_1.setupFixture)("monorepo-lerna-npm");
+            const packageRoot = (0, setupFixture_1.setupFixture)("monorepo-lerna-npm");
+            expect((0, implementations_1.getWorkspaceImplementation)(packageRoot, {})).toBe("lerna");
             const workspacesPackageInfo = (0, lerna_1.getLernaWorkspaces)(packageRoot);
             const packageAPath = path_1.default.join(packageRoot, "packages", "package-a");
             const packageBPath = path_1.default.join(packageRoot, "packages", "package-b");

package/lib/__tests__/queryLockFile.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/__tests__/queryLockFile.test.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const setupFixture_1 = require("../helpers/setupFixture");
+const __1 = require("..");
+/**
+ * These tests rely on the "@microsoft/task-scheduler" package and its version as defined in package.json in
+ * fixtures:
+ * - monorepo-npm
+ * - basic-yarn
+ * - monorepo-pnpm
+ *
+ * If making any changes to those fixtures and "@microsoft/task-scheduler" dependency, update the `packageName` and
+ * `packageVersion` constants.
+ */
+const packageName = "@microsoft/task-scheduler";
+const packageVersion = "2.7.1";
+describe("queryLockFile()", () => {
+    // NPM
+    it("retrieves a dependency from a lock generated by npm", async () => {
+        const packageRoot = await (0, setupFixture_1.setupFixture)("monorepo-npm");
+        const parsedLockFile = await (0, __1.parseLockFile)(packageRoot);
+        const result = (0, __1.queryLockFile)(packageName, packageVersion, parsedLockFile);
+        expect(result).toBeDefined();
+        expect(result.version).toBe(packageVersion);
+    });
+    // Yarn
+    it("retrieves a dependency from a lock generated by yarn", async () => {
+        const packageRoot = await (0, setupFixture_1.setupFixture)("basic-yarn");
+        const parsedLockFile = await (0, __1.parseLockFile)(packageRoot);
+        // NOTE: Yarn’s locks include ranges.
+        const result = (0, __1.queryLockFile)(packageName, `^${packageVersion}`, parsedLockFile);
+        expect(result).toBeDefined();
+        expect(result.version).toBe(packageVersion);
+    });
+    // PNPM
+    it("retrieves a dependency from a lock generated by pnpm", async () => {
+        const packageRoot = await (0, setupFixture_1.setupFixture)("monorepo-pnpm");
+        const parsedLockFile = await (0, __1.parseLockFile)(packageRoot);
+        const result = (0, __1.queryLockFile)(packageName, packageVersion, parsedLockFile);
+        expect(result).toBeDefined();
+        expect(result.version).toBe(packageVersion);
+    });
+});

package/lib/git.js

@@ -104,14 +104,14 @@ function getUntrackedChanges(cwd) {
 }
 exports.getUntrackedChanges = getUntrackedChanges;
 function fetchRemote(remote, cwd) {
-    const results = git(["fetch", remote], { cwd });
+    const results = git(["fetch", "--", remote], { cwd });
     if (!results.success) {
         throw gitError(`Cannot fetch remote: ${remote}`);
     }
 }
 exports.fetchRemote = fetchRemote;
 function fetchRemoteBranch(remote, remoteBranch, cwd) {
-    const results = git(["fetch", remote, remoteBranch], { cwd });
+    const results = git(["fetch", "--", remote, remoteBranch], { cwd });
     if (!results.success) {
         throw gitError(`Cannot fetch remote: ${remote} ${remoteBranch}`);
     }

package/lib/helpers/setupFixture.js

@@ -35,6 +35,8 @@ function setupFixture(fixtureName) {
     fs_extra_1.default.mkdirpSync(cwd);
     fs_extra_1.default.copySync(fixturePath, cwd);
     (0, git_1.init)(cwd, "test@test.email", "test user");
+    // Ensure GPG signing doesn't interfere with tests
+    (0, git_1.gitFailFast)(["config", "commit.gpgsign", "false"], { cwd });
     // Make the 'main' branch the default in the test repo
     // ensure that the configuration for this repo does not collide
     // with any global configuration the user had made, so we have

package/lib/lockfile/parseNpmLock.js

@@ -1,11 +1,22 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.parseNpmLock = void 0;
+const nameAtVersion_1 = require("./nameAtVersion");
+/**
+ * formatNpmLock reformats the dependencies object, so the key includes the version, similarly to yarn.lock. For
+ * example, `"@microsoft/task-scheduler": { }` will become `"@microsoft/task-scheduler@2.7.1": { }`.
+ */
+const formatNpmLock = (previousValue, currentValue) => {
+    const [key, dependency] = currentValue;
+    previousValue[(0, nameAtVersion_1.nameAtVersion)(key, dependency.version)] = dependency;
+    return previousValue;
+};
 const parseNpmLock = (lock) => {
     var _a;
-    return ({
-        object: (_a = lock.dependencies) !== null && _a !== void 0 ? _a : {},
+    const dependencies = Object.entries((_a = lock.dependencies) !== null && _a !== void 0 ? _a : {}).reduce(formatNpmLock, {});
+    return {
+        object: dependencies,
         type: "success",
-    });
+    };
 };
 exports.parseNpmLock = parseNpmLock;

package/lib/workspaces/implementations/index.d.ts

@@ -3,8 +3,12 @@ export interface ImplementationAndLockFile {
     implementation: WorkspaceImplementations | undefined;
     lockFile: string;
 }
-export declare function getWorkspaceImplementationAndLockFile(cwd: string): {
+export declare function getWorkspaceImplementationAndLockFile(cwd: string, cache?: {
+    [cwd: string]: ImplementationAndLockFile;
+}): {
     implementation: WorkspaceImplementations | undefined;
     lockFile: string;
 } | undefined;
-export declare function getWorkspaceImplementation(cwd: string): WorkspaceImplementations | undefined;
+export declare function getWorkspaceImplementation(cwd: string, cache?: {
+    [cwd: string]: ImplementationAndLockFile;
+}): WorkspaceImplementations | undefined;

package/lib/workspaces/implementations/index.js

@@ -6,12 +6,12 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getWorkspaceImplementation = exports.getWorkspaceImplementationAndLockFile = void 0;
 const find_up_1 = __importDefault(require("find-up"));
 const path_1 = __importDefault(require("path"));
-const cache = {};
-function getWorkspaceImplementationAndLockFile(cwd) {
+const workspaceCache = {};
+function getWorkspaceImplementationAndLockFile(cwd, cache = workspaceCache) {
     if (cache[cwd]) {
         return cache[cwd];
     }
-    const lockFile = find_up_1.default.sync(["lerna.json", "yarn.lock", "pnpm-workspace.yaml", "rush.json", "package-lock.json"], {
+    const lockFile = find_up_1.default.sync(["lerna.json", "rush.json", "yarn.lock", "pnpm-workspace.yaml", "package-lock.json"], {
         cwd,
     });
     if (!lockFile) {
@@ -52,8 +52,8 @@ function getWorkspaceImplementationAndLockFile(cwd) {
     return cache[cwd];
 }
 exports.getWorkspaceImplementationAndLockFile = getWorkspaceImplementationAndLockFile;
-function getWorkspaceImplementation(cwd) {
+function getWorkspaceImplementation(cwd, cache = workspaceCache) {
     var _a;
-    return (_a = getWorkspaceImplementationAndLockFile(cwd)) === null || _a === void 0 ? void 0 : _a.implementation;
+    return (_a = getWorkspaceImplementationAndLockFile(cwd, cache)) === null || _a === void 0 ? void 0 : _a.implementation;
 }
 exports.getWorkspaceImplementation = getWorkspaceImplementation;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "workspace-tools",
-  "version": "0.18.1",
+  "version": "0.18.4",
   "license": "MIT",
   "repository": {
     "type": "git",