lerna add ignores npmrc settings in monorepo root

[bajtos]

On my machine, I am using the following npm configuration:

Config in home (~/.npmrc):

package-lock=false

Config in our monorepo (https://github.com/strongloop/loopback-next/blob/master/.npmrc):

package-lock=true

When I run lerna add {pkg} in a monorepo, no package-lock file is created in packages. I have to copy monorepo's .npmrc files into all packages to enable package-lock feature packages too.

Expected Behavior

When lerna executes npm commands in a package directory, then it applies npm configuration specified in monorepo's root directory.

Current Behavior

The configuration specified in monorepo's root directory is applied only when executing npm in the monorepo scope. Projects using custom npm configuration must duplicate this config in every package directory.

Possible Solution

• lerna bootstrap can create symlinks to distribute monorepo's npm configuration to all packages. This would not allow individual packages to further override config shared in the monorepo.

• Commands like lerna add can merge the content of .npmrc files at monorepo-level and package-level before calling out to npm and then revert the changes after npm returns. We are already doing something similar with package.json files when installing dependencies.

• Once npm adds support for workspaces, this problem may go away automatically 🤞

Steps to Reproduce (for bugs)

1. Disable package-lock in your user-level npm config file (~/.npmrc):

   package-lock=false
   

2. Create a simple monorepo with few packages. Enable package-lock in monorepo's root ~/.npmrc file:

   package-lock=true
   

   You can use my sandbox here: https://github.com/bajtos/lerna-package-locks/tree/root-npmrc-ignored

3. Add a new dependency to all packages (it's important to omit the scope because of lerna add --scope does not update package-lock file  #1989):

   lerna add p-map
   

4. Run git status to see what has changed:

   $ git status
   (...)
       modified:   packages/app/package.json
       modified:   packages/helpers/package.json
   

lerna.json

{
  "lerna": "3.3.0",
  "packages": [
    "packages/*"
  ],
  "version": "independent"
}

Context

Historically, LoopBack consisted of many individual packages that were intentionally not using package-lock feature. As a module author, I want to always install the latest version of my dependencies, to ensure I use the same versions that consumers of my module would use too. That's why my user-level npm config is disabling package locks.

In loopback-next, our current monorepo codebase, we enabled Greenkeeper to watch new versions of our dependencies. With that watcher in place, we enabled package-lock too, with the motivation to speed up install times.

Unfortunately, to get package locks working on all machines, regardless of the global and user-level config, we have to duplicate .npmrc files in all packages of our monorepo.

Your Environment

Executable	Version
lerna --version	3.13.1
npm --version	6.9.0
yarn --version	n/a
node --version	v10.15.0

OS	Version
macOS Mojave	10.14.3

Please note my global npm config in ~/.npmrc is disabling the package-lock feature.

[JamesHenry]

Hi Folks 👋

Please take a look at our published roadmap for Lerna v7 here: #3410

One of the key items covered at length on there (please do read it for full context) is that now that we find ourselves in late 2022, it no longer makes sense for lerna to supplement package management concerns (such as installation, boostrapping, linking etc) which are covered reliably for monorepo workspaces by the three main package managers: npm, yarn and pnpm. lerna bootstrap et al were developed in completely different era of the JavaScript ecosystem.

If you have any specific concerns please do join in on that discussion, and provide as much context as possible.

Many thanks 🙏