Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pnpm deploy copies workspace dependencies ignored files #5961

Closed
yakovlev-alexey opened this issue Jan 20, 2023 · 2 comments · Fixed by #6016
Closed

pnpm deploy copies workspace dependencies ignored files #5961

yakovlev-alexey opened this issue Jan 20, 2023 · 2 comments · Fixed by #6016
Labels
type: bug

Comments

@yakovlev-alexey
Copy link

yakovlev-alexey commented Jan 20, 2023
edited

pnpm version: 7.25.0

Code to reproduce the issue:

https://github.com/yakovlev-alexey/pnpm-workspace-files-prop

Expected behavior:

Say package app depends on workspace package ui. ui has a .env file in it used for development. You run pnpm deploy app app-prod --prod. pnpm copies workspace to the virtual store and create necessary links. When copying workspace packages only files specified in files property if present get copied. If .npmignore is present then those files are also ignored.

pnpm respects .npmignore files and files package.json properties in both app and ui packages.

Actual behavior:

.env file in ui gets copied.

pnpm respects .npmignore files and files package.json properties in app (deployed) package

pnpm does not respect .npmignore files and files package.json properties in ui package (workspace dependencies)

This exposes files such as .env storing valuable secrets to, say, Docker image users. This also increases node_modules size since unnecessary source files also get copied.

Additional information:

  • node -v prints: v14.21.2
  • Windows, macOS, or Linux?: MacOS
@await-ovo
Copy link
Member

duplicate with #5911

@await-ovo
Copy link
Member

Could we add an includeOnlyPackageFiles option to the install method that will be passed to the directory-fetcher. We would only set this option to true at pnpm deploy. That way, workspace dependency should also repset the package.json files setting too:

Hi, @zkochan, do you think this way is doable, thanks ~

@await-ovo await-ovo mentioned this issue Feb 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feat deploy with local dependencies await-ovo/pnpm
2 participants
@await-ovo @yakovlev-alexey