-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to get license information of dependent packages when using yarn workspaces #349
Comments
@ledsun thanks for the report! I'll take a look when I'm able - is this an urgent issue for you? |
I'm in no hurry. I have a workaround. I assume that the cause of this issue is that yarn workspaces creates symbolic links in the node_modules directory.
I think licensed is getting the directory under node_modules in the next line: My workaround is a patch to replace this with |
👍 that makes sense. That would be an easy patch to put in but I'd like to learn more about how you'd expect licensed to work with them before adding that as a general fix. I'm also not super up to speed on yarn workspaces themselves. I've read a few docs on them and they appear to be a way to manage dependencies among multiple projects/packages in a monorepo setup when one project takes a dependency on another project in the repo... is that correct? I have a concern that a package with the same name and version but different licensing or other metadata might exist in different locations under Can you set up a reproduction environment for the problem, removing any sensitive and non-public content? I'm wondering whether building knowledge about workspaces into the yarn source would be more appropriate. Something like enumerating workspaces, then changing |
Sorry. I can't provide a reproducible environment. |
I'm running into this as well, specifically with package paths specified in Site note: I didn't want to store cached licenses in my repo, so each push runs |
@jonabc Please let me know if that helps or if I can provide anything else related to this! |
@jgeurts 👋 sorry I've been pretty busy and haven't had a chance to take a look. I'll try to get to it within the next 24 hrs |
@jguerts thanks for the example repo. the repo along with some additional yarn documentation for the
Off the top of my head this sounds like a fairly significant chunk of work, and as I mentioned things are pretty busy for me at the moment. Is this blocking you from using licensed and something you need fixed ASAP? |
Thank you for looking into this! It’s a blocker for me, but I’ll try working around it by removing the nohoist part of package.json before installing npms and running licensed. That should force all npms to install to the root. I’ve been holding off on that in case this was a relatively easy/quick update to licensed. |
I tried removing the
That mostly worked, but I had some troubles with licenses for some of the dependencies not coming through accurately. I'll open a separate issue for that, if I can get it reproducing. |
@jgeurts FYI I've started looking at a fix. There is some complexity in the solution but I'm hopeful to have this fixed and able to put out a release in the next few days. |
@jgeurts I've hit a wall in how to get useful information out of yarn's CLI that perhaps you might be more knowledgable on? When I call Even worse is that, at least with the version of yarn I have locally (1.22.10), yarn's hoisting mechanism is making packages available to workspaces that don't call them out as dependencies 😢 . I am able to use packages listed as a TBH I'm not sure how to support yarn workspaces given that I can't accurately tell what dependencies a project uses. For a tool that's purpose relates to licensing compliance I tend to err towards the safer option and am inclined to explicitly deny support for workspaces. I'll try with yarn v2 tomorrow and see if maybe they've fixed things in later versions. If you have any ideas on how to support this I'd be very interested in hearing them 😆 |
@jonabc This seems to also be an issue with npm workspaces: Project setup// ./package.json
{
"name": "@grano/mygrano-serverless",
"version": "1.0.0",
"description": "My Grano Serverless",
"private": true,
"workspaces": [
"serverless-utils",
"cognito",
"antivirus",
"ecom-cloudfront",
"iam-cloudfront",
"iam-ses-notifications",
"ses-events",
"ses"
]
}
// ./antivirus/package.json
{
"name": "@grano/antivirus",
"version": "1.0.0",
"description": "Virus Check Lambda for Widdix antivirus",
"private": true,
"dependencies": {
"@grano/logger": "^2.12.1",
"callbackify": "^1.1.0",
"dotenv": "^16.0.0",
"es6-promisify": "^7.0.0",
"lodash": "^4.17.21",
"superagent": "^7.1.1"
}
} # licensed.yml
apps:
- name: antivirus
source_path: "/home/runner/work/mygrano-serverless/mygrano-serverless/antivirus"
cache_path: "/home/runner/work/mygrano-serverless/mygrano-serverless/.licenses/antivirus"
sources:
- name: antivirus.npm Results:
I assume it's because npm de-dupes dependencies in the root node_modules folder, but licensed does not traverse into parent folders. |
For people having problems with npm workspaces I added this script before running licensed to work around the issue: echo "::group::Workspaces workaround"
WORKSPACES=$(jq -r '.workspaces // [] | join(" ")' package.json)
if [[ -n "$WORKSPACES" ]]; then
for package in $WORKSPACES; do
echo "Copying node_modules to $package"
rsync -r --exclude ".bin" --exclude "@my-org/*" ./node_modules/ "./$package/node_modules"
done
fi
echo "::endgroup::" |
thanks for the repro - taking a look! |
@villelahdenvuo in this case, the errors being reported by licensed are actually coming from npm. I set up a quick repro for the above setup and got the same errors running There's an issue that was opened on the npm cli about this where Are you able to upgrade to using npm 8.5+? I'd like to make that a requirement if possible for using npm workspaces because it allows the closest parity to existing licensed usage without requiring any additional configuration options. |
@jonabc Yeah I'm already using 8.5+ locally, I just need to make sure it's being used on the Github Actions also. Thanks for the investigation! |
I am using two workspaces.
And each workspace depends on the same package with different versions.
In this case, the package is installed under the workspace directory.
This is the output of the
yarn list
:In this case, licensed is unable to get the license information of the packages installed under the workspace directory.
The following is the output of the
licensed cache
:The text was updated successfully, but these errors were encountered: