Skip to content

RTECO-1055 - Treat pnpm workspace as standalone#431

Open
fluxxBot wants to merge 1 commit intomainfrom
RTECO-1055-pnpmWorkspace
Open

RTECO-1055 - Treat pnpm workspace as standalone#431
fluxxBot wants to merge 1 commit intomainfrom
RTECO-1055-pnpmWorkspace

Conversation

@fluxxBot
Copy link
Copy Markdown
Collaborator

@fluxxBot fluxxBot commented Apr 23, 2026
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • Appropriate label is added to auto generate release notes.
  • I used gofmt for formatting the code before submitting the pull request.
  • PR description is clear and concise, and it includes the proposed solution/fix.

Problem

jf pnpm install unconditionally ran pnpm ls -r --depth Infinity --json when collecting build-info. This ignored the user's workspace intent in two scenarios:

  1. Sub-package invocationcd apps/web-app && jf pnpm install produced a multi-module build-info containing every workspace package, not just web-app.
  2. --ignore-workspace flagpnpm install --ignore-workspace was honored by pnpm during install, but the subsequent pnpm ls -r re-enumerated the entire monorepo, leaking sibling/root deps into the build-info.

Downstream SBOM / Xray consumers therefore saw phantom dependencies that didn't actually belong to the built package.

Fix

The build-info pnpm ls call now matches the user's intent:

  • isPnpmWorkspaceSubPackage — uses pnpm root -w plus symlink-resolved path compare. When the working directory is a workspace sub-package, -r is dropped and only the current package's deps are collected.
  • extractLsForwardFlags — forwards --ignore-workspace from the install args to pnpm ls, so build-info respects the flag.
  • buildPnpmLsArgs — also drops -r when --ignore-workspace is forwarded (pnpm would otherwise emit concatenated JSON arrays that aren't parseable by encoding/json).

Workspace-root invocation without --ignore-workspace keeps the existing -r multi-module behavior — no regression for current CI flows.

Tests

  • Unit tests for extractLsForwardFlags, buildPnpmLsArgs (all branches), samePath, isPnpmWorkspaceSubPackage.
  • Companion E2E tests in jfrog-cli (linked PR) — verified end-to-end against a real Artifactory instance.

depends on:

  1. RTECO-1055 - Treat pnpm workspace as standalone jfrog-cli#3451

@fluxxBot fluxxBot added the improvement Automatically generated release notes label Apr 23, 2026
@fluxxBot fluxxBot mentioned this pull request Apr 23, 2026
Open
4 tasks
@fluxxBot fluxxBot added the safe to test Approve running integration tests on a pull request label Apr 23, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Apr 23, 2026
bhanurp
bhanurp requested changes Apr 26, 2026
View reviewed changes
Comment thread artifactory/commands/pnpm/install.go Outdated
Comment thread artifactory/commands/pnpm/install.go Outdated
Comment thread artifactory/commands/pnpm/install.go Outdated
Comment thread artifactory/commands/pnpm/install.go
Comment thread artifactory/commands/pnpm/install.go
Comment thread artifactory/commands/pnpm/install.go
Comment thread artifactory/commands/pnpm/install.go Outdated
Comment thread artifactory/commands/pnpm/install.go Outdated
Comment thread artifactory/commands/pnpm/install.go
@fluxxBot fluxxBot added the safe to test Approve running integration tests on a pull request label Apr 27, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Apr 27, 2026
@fluxxBot fluxxBot requested a review from bhanurp April 27, 2026 08:55
@fluxxBot fluxxBot added the safe to test Approve running integration tests on a pull request label Apr 27, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Apr 27, 2026
bhanurp
bhanurp reviewed Apr 28, 2026
View reviewed changes
Comment thread artifactory/commands/pnpm/install.go Outdated
Comment thread artifactory/commands/pnpm/install.go Outdated
Comment thread artifactory/commands/pnpm/install.go Outdated
@bhanurp bhanurp self-requested a review April 28, 2026 07:59
@fluxxBot fluxxBot added the safe to test Approve running integration tests on a pull request label Apr 30, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Apr 30, 2026
@fluxxBot fluxxBot force-pushed the RTECO-1055-pnpmWorkspace branch from 4077030 to 038c83d Compare April 30, 2026 09:41
@fluxxBot fluxxBot added the safe to test Approve running integration tests on a pull request label Apr 30, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@itsmeleela itsmeleela Awaiting requested review from itsmeleela itsmeleela was automatically assigned from jfrog/ecomatrix

@agrasth agrasth Awaiting requested review from agrasth agrasth was automatically assigned from jfrog/ecomatrix

@naveenku-jfrog naveenku-jfrog Awaiting requested review from naveenku-jfrog naveenku-jfrog was automatically assigned from jfrog/ecomatrix

@udaykb2 udaykb2 Awaiting requested review from udaykb2 udaykb2 was automatically assigned from jfrog/ecomatrix

@bhanurp bhanurp Awaiting requested review from bhanurp

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

improvement Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fluxxBot @bhanurp