-
Notifications
You must be signed in to change notification settings - Fork 994
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Properly infer .npmrc
for PNPM
#8094
Conversation
0eb24bc
to
72d0ca9
Compare
This is hard to test, but I did add a test to check that a properly scoped registry is generated in the .npmrc file when only one of the dependencies is listed in a configured private registry. I added a commit to simplify some npmrc generation tests at 0c0cc10. I could extract it to a separate PR but I'll set this as ready in any case. I plan to follow up with other PRs implementing this for NPM and Yarn, and eventually completely removing direct parsing of lockfiles from this class. But I think this is a good low risk first step. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's try it!
72d0ca9
to
ed9334c
Compare
In these case, the presence of a lockfile is irrelevant, so we can refactor the specs and make them independent of the package manager.
ed9334c
to
7bd8b2c
Compare
Ok let's try this! |
I just got a chance to test this. I can confirm that the credentials issue is now fixed. However, updating one dependency took about half an hour on my machine. Looking at the logs, a request is made to the private registry for each dependency available in the lock file for each dependency that needs to be updated. I stopped after the first. My thoughts are that came from using the new How can we speed up the operation for finding the registry? Or run it once? I haven't studied much of how it works to offer valid ideas yet. |
Thanks for testing @mburumaxwell. Yes, this is not performant. I see several improvements that can be made, like the one you suggest of running it just once, not once per dependency. I will look into it. As a workaround, you can commit an npmrc file with proper registry and scope configuration so that Dependabot does not need to infer it. |
I am not entirely sure that works. I tested this out with a repo that only pulls a few packages from one private feed and the rest from the default registry. Maybe my understanding of the npm ecosystem is low but here's the npmrc file:
It still goes slow. I tried executing step by step and through the dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb Lines 268 to 274 in 3887e23
Consequently, that will fall on dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb Lines 33 to 35 in 3887e23
I created a sample to try figure out what is happening or how to solve it.
Could there be something I am missing? |
Thanks for your investigation. I think that may be a problem with my patch. If scopes are already configured, I was not expecting to go through this logic. I'll look into it! |
@deivid-rodriguez As you look into this, I made an assumption that if the registry is not present in the lockfile, the global one should be used. It increased the speed significantly (the numerous HTTP requests are no longer made). I do not know what else it affects but at least it works as expected and could be a hint on which direction to check. |
…npm-auth-fix Properly infer `.npmrc` for PNPM
There are two issues:
NpmrcBuilder
to properly configure private registries. This was an oversight from the initial PNPM implementation since all other lockfile updaters (NPM and Yarn) do it.This issue is fixed by cherry-picking #8091 from @mburumaxwell.
NpmrcBuilder
only looks in the lockfile for finding the proper registry vs scope configuration, but can't work if the lockfile does not include registries or if parsing a specific lockfile is not implemented. However, we have a smarter class,RegistryFinder
, that can also infer the proper registry by directly querying it and checking which dependencies it serves. This class is already used by theUpdateChecker
and there's a TODO note on top ofNpmrcBuilder
to refactor it to useRegistryFinder
:dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
Lines 9 to 11 in 0d64ef2
The second commit refactors
NpmrcBuilder
to useRegistryFinder
, but just for PNPM. Once I validate that this works properly, I can migrate NPM & Yarn too and completely remove lockfile parsing code from this class.This PR should fix #7731.