Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure Corepack Usage for npm, pnpm, and yarn Command Execution #10944

Merged

Conversation

kbukum1
Copy link
Contributor

@kbukum1 kbukum1 commented Nov 15, 2024

What are you trying to accomplish?

This PR ensures that corepack is explicitly invoked when running npm, pnpm, and yarn commands. By calling corepack directly, we can guarantee that the correct package manager versions (installed via Corepack) are used for each command. This change helps prevent version mismatches and enhances consistency across different environments.

This change resolves inconsistencies in package manager versions used in different environments and addresses potential issues caused by mismatched versions.

Anything you want to highlight for special attention from reviewers?

The key change here is the addition of corepack to the npm, pnpm, and yarn command execution. This ensures that the commands run with the versions installed by Corepack. If there were multiple approaches to achieve this, I selected this one to make the execution explicit and straightforward.

How will you know you've accomplished your goal?

  • To confirm these changes, tests were run to verify that each package manager command executes correctly with Corepack and maintains version consistency.
  • This PR includes updates to run_npm_command, run_pnpm_command, and run_single_yarn_command to prepend corepack to each command, ensuring the correct version usage.
  • The implementation was verified by running the package manager commands and confirming the expected behavior.

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@kbukum1 kbukum1 force-pushed the kamil/fix_installing_problem_for_npm_pnpm_yarn_using_corepack branch from c7e170f to bcb2cf8 Compare November 15, 2024 23:50
"corepack install #{name}@#{version} --global --cache-only",
fingerprint: "corepack install <name>@<version> --global --cache-only"
)

Copy link
Contributor Author

@kbukum1 kbukum1 Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved from PackageManagerHelper into Helpers.

@kbukum1 kbukum1 force-pushed the kamil/fix_installing_problem_for_npm_pnpm_yarn_using_corepack branch from 2bf87a5 to 49db410 Compare November 16, 2024 01:29
# Setup yarn and run a single yarn command returning stdout/stderr
sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
def self.run_yarn_command(command, fingerprint: nil)
setup_yarn_berry
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should check to see if we have run the setup command already and skip it if we have

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also, since most of the codebase uses #run_single_yarn_command, should we update that method instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback. I will check if we can run the run_single_yarn_command and make changes accordingly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went over the code. I think we are already doing install in file_fetcher phase. So we don't need to re-run setup for that. Just we need to be sure that we are running commands through corepack. And in the following change we are running all command by using corepack. Also in setup_yarn_berry we are running multiple yarn commands with different conditions so I think this method is doing things with conditions and it is calling run_single_yarn_command which is expected to be right call.

https://github.com/dependabot/dependabot-core/pull/10944/files#diff-85ec3865f2fdb48045a2536b37b847156ed3bd3960afdc8bd900ae568de9acd7R295

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you’re suggesting that we configure setup_yarn_berry once and avoid re-running these commands, I can work on that. However, I think it would be better suited to a separate PR, as our priority is first ensuring everything runs smoothly with Corepack.

@Nishnha
Copy link
Member

Nishnha commented Nov 16, 2024

The direction of this PR makes sense to me. Do you have any data showing the inconsistent runs? We could use that to verify that this change makes them consistent again

@kbukum1 kbukum1 force-pushed the kamil/fix_installing_problem_for_npm_pnpm_yarn_using_corepack branch from 3dc21c9 to 6da1382 Compare November 18, 2024 18:05
@kbukum1
Copy link
Contributor Author

kbukum1 commented Nov 18, 2024

The direction of this PR makes sense to me. Do you have any data showing the inconsistent runs? We could use that to verify that this change makes them consistent again.

@Nishnha
I've checked the metrics, and they indicate that we’re always using the default package manager versions in our images. When I manually tried to retrieve the package manager versions within the image using corepack npm -v, corepack pnpm -v, and corepack yarn -v, I found that only the default installed versions are being used rather than the versions installed after detection.

After investigating further, I discovered that once a package manager is installed with corepack, it also needs to be activated. To ensure we’re using the correct installed version, we should activate it and then run commands using corepack #{name} #{command}.

Here are the details for the deployed and reverted changes for further reference: https://github.com/github/dependabot-updates/issues/7325
Dashboard link for metrics: Dependabot Ecosystem Metrics

Screenshot 2024-11-18 at 10 07 38 AM Screenshot 2024-11-18 at 10 07 32 AM

@@ -79,7 +82,7 @@
allow(Dependabot::Experiments).to receive(:enabled?)
.with(:npm_fallback_version_above_v6).and_return(npm_fallback_version_above_v6_enabled)
allow(Dependabot::Experiments).to receive(:enabled?)
.with(:npm_fallback_version_above_v6).and_return(npm_fallback_version_above_v6_enabled)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Duplicate!

@kbukum1 kbukum1 marked this pull request as ready for review November 18, 2024 20:53
@kbukum1 kbukum1 requested a review from a team as a code owner November 18, 2024 20:53
@kbukum1 kbukum1 requested a review from Nishnha November 18, 2024 21:01
fix installing pnpm version issue
improve the finding version  code
raise_if_unsupported!(name, version.to_s)

install(name, version) if name == PNPMPackageManager::NAME
end
end
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We want to install npm, and yarn versions as well. We removed the condition that only install for pnpm when version is guessed.

return manager_name.to_s if @lockfiles[manager_name.to_sym]
end
nil
PACKAGE_MANAGER_CLASSES.keys.map(&:to_s).find { |manager_name| @lockfiles[manager_name.to_sym] }
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix Sorbet Issue:

Dependabot::Sorbet::Runtime::InformationalError
Parameter 'name': Expected type T.nilable(String), got type Hash with value {"npm"=>Dependabot::NpmAndY...pmAndYarn::PNPMPackageManager}
Caller: /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb:221
Definition: /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb:282 (Dependabot::NpmAndYarn::PackageManagerHelper#package_manager_by_name)

PACKAGE_MANAGER_CLASSES.each_key do |manager_name| # iterates keys in order as defined in the hash
return manager_name.to_s if @manifest_package_manager.start_with?("#{manager_name}@")
PACKAGE_MANAGER_CLASSES.keys.map(&:to_s).find do |manager_name|
@manifest_package_manager.start_with?("#{manager_name}@")
end
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix Sorbet Issue:

Dependabot::Sorbet::Runtime::InformationalError
Parameter 'name': Expected type T.nilable(String), got type Hash with value {"npm"=>Dependabot::NpmAndY...pmAndYarn::PNPMPackageManager}
Caller: /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb:221
Definition: /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb:282 (Dependabot::NpmAndYarn::PackageManagerHelper#package_manager_by_name)

if version
raise_if_unsupported!(name, version.to_s)
install(name, version)
end
else
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This else is going to be removed in clean-up process of enable_corepack_for_npm_and_yarn feature flag after all checks.

@kbukum1 kbukum1 merged commit 8f037cf into main Nov 18, 2024
86 checks passed
@kbukum1 kbukum1 deleted the kamil/fix_installing_problem_for_npm_pnpm_yarn_using_corepack branch November 18, 2024 23:58
@broksonic21
Copy link

Flagging this ticket, which is blocking us on a number of our repositories today, and likely is related to this PR: #10982

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants