refactor(plugin-js-packages): option to provide package json path

Author: vmasek

.verdaccio/config.yml

@@ -35,3 +35,7 @@ log:
 
 publish:
   allow_offline: true # set offline to true to allow publish offline
+
+middlewares:
+  audit:
+    enabled: true # needed to run npm audit in e2e test folder

e2e/plugin-js-packages-e2e/mocks/fixtures/npm-repo/code-pushup.config.ts

@@ -1,7 +1,16 @@
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
 import jsPackagesPlugin from '@code-pushup/js-packages-plugin';
 import type { CoreConfig } from '@code-pushup/models';
 
+const thisConfigFolder = fileURLToPath(dirname(import.meta.url));
+
 export default {
-  persist: { outputDir: './' },
-  plugins: [await jsPackagesPlugin({ packageManager: 'npm' })],
+  persist: { outputDir: thisConfigFolder, format: ['json'] },
+  plugins: [
+    await jsPackagesPlugin({
+      packageManager: 'npm',
+      packageJsonPath: join(thisConfigFolder, 'package.json'),
+    }),
+  ],
 } satisfies CoreConfig;

e2e/plugin-js-packages-e2e/tests/plugin-js-packages.e2e.test.ts

@@ -7,8 +7,11 @@ import {
   reportSchema,
 } from '@code-pushup/models';
 import { nxTargetProject } from '@code-pushup/test-nx-utils';
-import { teardownTestFolder } from '@code-pushup/test-setup';
-import { E2E_ENVIRONMENTS_DIR, TEST_OUTPUT_DIR } from '@code-pushup/test-utils';
+import {
+  E2E_ENVIRONMENTS_DIR,
+  TEST_OUTPUT_DIR,
+  teardownTestFolder,
+} from '@code-pushup/test-utils';
 import { executeProcess, readJsonFile } from '@code-pushup/utils';
 
 describe('plugin-js-packages', () => {
@@ -37,13 +40,19 @@ describe('plugin-js-packages', () => {
 
   it('should run JS packages plugin for NPM and create report.json', async () => {
     const { code } = await executeProcess({
-      command: 'node',
+      command: 'npx',
       args: [
-        '../../node_modules/@code-pushup/cli/src/index.js',
+        '@code-pushup/cli',
         'collect',
+        '--verbose',
         '--no-progress',
+        `--config=${path.join(
+          TEST_OUTPUT_DIR,
+          'npm-repo',
+          'code-pushup.config.ts',
+        )}`,
       ],
-      cwd: npmRepoDir,
+      cwd: path.join(E2E_ENVIRONMENTS_DIR, nxTargetProject()),
     });
 
     expect(code).toBe(0);
@@ -89,8 +98,9 @@ describe('plugin-js-packages', () => {
 
     const expressOutdatedIssue = npmOutdatedProd.details!.issues![0]!;
     expect(expressOutdatedIssue.severity).toBe('error');
-    expect(expressOutdatedIssue.message).toMatch(
-      /^Package \[`express`]\(http:\/\/expressjs\.com\/?\) requires a \*\*major\*\* update from \*\*3.0.0\*\* to \*\*\d+\.\d+\.\d+\*\*\.$/,
+    expect(expressOutdatedIssue?.message).toContain('express');
+    expect(expressOutdatedIssue?.message).toContain(
+      'requires a **major** update from **3.0.0** to',
     );
 
     expect(() => reportSchema.parse(report)).not.toThrow();

packages/plugin-js-packages/README.md

@@ -113,7 +113,7 @@ The plugin accepts the following parameters:
 - `packageManager`: The package manager you are using. Supported values: `npm`, `yarn-classic` (v1), `yarn-modern` (v2+), `pnpm`.
 - (optional) `checks`: Array of checks to be run. Supported commands: `audit`, `outdated`. Both are configured by default.
 - (optional) `dependencyGroups`: Array of dependency groups to be checked. `prod` and `dev` are configured by default. `optional` are opt-in.
-- (optional) `packageJsonPaths`: File path(s) to `package.json`. Root `package.json` is used by default. Multiple `package.json` paths may be passed. If `{ autoSearch: true }` is provided, all `package.json` files in the repository are searched.
+- (optional) `packageJsonPath`: File path to `package.json`. Root `package.json` at CWD is used by default.
 - (optional) `auditLevelMapping`: If you wish to set a custom level of issue severity based on audit vulnerability level, you may do so here. Any omitted values will be filled in by defaults. Audit levels are: `critical`, `high`, `moderate`, `low` and `info`. Issue severities are: `error`, `warn` and `info`. By default the mapping is as follows: `critical` and `high` → `error`; `moderate` and `low` → `warning`; `info` → `info`.
 
 ### Audits and group

packages/plugin-js-packages/src/lib/config.ts

@@ -18,16 +18,14 @@ const packageManagerIdSchema = z.enum([
 export type PackageManagerId = z.infer<typeof packageManagerIdSchema>;
 
 const packageJsonPathSchema = z
-  .union([
-    z.array(z.string()).min(1),
-    z.object({ autoSearch: z.literal(true) }),
-  ])
+  .string()
+  .regex(/package\.json$/, 'File path must end with package.json')
   .describe(
-    'File paths to package.json. Looks only at root package.json by default',
+    'File path to package.json, tries to use root package.json at CWD by default',
   )
-  .default(['package.json']);
+  .default('package.json');
 
-export type PackageJsonPaths = z.infer<typeof packageJsonPathSchema>;
+export type PackageJsonPath = z.infer<typeof packageJsonPathSchema>;
 
 export const packageAuditLevels = [
   'critical',
@@ -75,7 +73,7 @@ export const jsPackagesPluginConfigSchema = z.object({
     })
     .default(defaultAuditLevelMapping)
     .transform(fillAuditLevelMapping),
-  packageJsonPaths: packageJsonPathSchema,
+  packageJsonPath: packageJsonPathSchema,
 });
 
 export type JSPackagesPluginConfig = z.input<

packages/plugin-js-packages/src/lib/config.unit.test.ts

@@ -15,7 +15,7 @@ describe('jsPackagesPluginConfigSchema', () => {
         checks: ['audit'],
         packageManager: 'yarn-classic',
         dependencyGroups: ['prod'],
-        packageJsonPaths: ['./ui-app/package.json', './ui-e2e/package.json'],
+        packageJsonPath: './ui-app/package.json',
       } satisfies JSPackagesPluginConfig),
     ).not.toThrow();
   });
@@ -36,7 +36,7 @@ describe('jsPackagesPluginConfigSchema', () => {
       checks: ['audit', 'outdated'],
       packageManager: 'npm',
       dependencyGroups: ['prod', 'dev'],
-      packageJsonPaths: ['package.json'],
+      packageJsonPath: 'package.json',
       auditLevelMapping: {
         critical: 'error',
         high: 'error',
@@ -47,15 +47,6 @@ describe('jsPackagesPluginConfigSchema', () => {
     });
   });
 
-  it('should accept auto search for package.json files', () => {
-    expect(() =>
-      jsPackagesPluginConfigSchema.parse({
-        packageManager: 'yarn-classic',
-        packageJsonPaths: { autoSearch: true },
-      } satisfies JSPackagesPluginConfig),
-    ).not.toThrow();
-  });
-
   it('should throw for no passed commands', () => {
     expect(() =>
       jsPackagesPluginConfigSchema.parse({

packages/plugin-js-packages/src/lib/runner/index.ts

@@ -16,7 +16,7 @@ import {
   type AuditSeverity,
   type DependencyGroup,
   type FinalJSPackagesPluginConfig,
-  type PackageJsonPaths,
+  type PackageJsonPath,
   type PackageManagerId,
   dependencyGroups,
 } from '../config.js';
@@ -25,7 +25,7 @@ import { packageManagers } from '../package-managers/package-managers.js';
 import { auditResultToAuditOutput } from './audit/transform.js';
 import type { AuditResult } from './audit/types.js';
 import { outdatedResultToAuditOutput } from './outdated/transform.js';
-import { findAllPackageJson, getTotalDependencies } from './utils.js';
+import { getTotalDependencies } from './utils.js';
 
 export async function createRunnerConfig(
   scriptPath: string,
@@ -55,16 +55,21 @@ export async function executeRunner({
     packageManager,
     checks,
     auditLevelMapping,
-    packageJsonPaths,
+    packageJsonPath,
     dependencyGroups: depGroups,
   } = await readJsonFile<FinalJSPackagesPluginConfig>(runnerConfigPath);
 
   const auditResults = checks.includes('audit')
-    ? await processAudit(packageManager, depGroups, auditLevelMapping)
+    ? await processAudit(
+        packageManager,
+        depGroups,
+        auditLevelMapping,
+        packageJsonPath,
+      )
     : [];
 
   const outdatedResults = checks.includes('outdated')
-    ? await processOutdated(packageManager, depGroups, packageJsonPaths)
+    ? await processOutdated(packageManager, depGroups, packageJsonPath)
     : [];
   const checkResults = [...auditResults, ...outdatedResults];
 
@@ -75,21 +80,17 @@ export async function executeRunner({
 async function processOutdated(
   id: PackageManagerId,
   depGroups: DependencyGroup[],
-  packageJsonPaths: PackageJsonPaths,
+  packageJsonPath: PackageJsonPath,
 ) {
   const pm = packageManagers[id];
   const { stdout } = await executeProcess({
     command: pm.command,
     args: pm.outdated.commandArgs,
-    cwd: process.cwd(),
+    cwd: packageJsonPath ? path.dirname(packageJsonPath) : process.cwd(),
     ignoreExitCode: true, // outdated returns exit code 1 when outdated dependencies are found
   });
 
-  // Locate all package.json files in the repository if not provided
-  const finalPaths = Array.isArray(packageJsonPaths)
-    ? packageJsonPaths
-    : await findAllPackageJson();
-  const depTotals = await getTotalDependencies(finalPaths);
+  const depTotals = await getTotalDependencies(packageJsonPath);
 
   const normalizedResult = pm.outdated.unifyResult(stdout);
   return depGroups.map(depGroup =>
@@ -106,6 +107,7 @@ async function processAudit(
   id: PackageManagerId,
   depGroups: DependencyGroup[],
   auditLevelMapping: AuditSeverity,
+  packageJsonPath: PackageJsonPath,
 ) {
   const pm = packageManagers[id];
   const supportedAuditDepGroups =
@@ -120,7 +122,7 @@ async function processAudit(
         const { stdout } = await executeProcess({
           command: pm.command,
           args: pm.audit.getCommandArgs(depGroup),
-          cwd: process.cwd(),
+          cwd: packageJsonPath ? path.dirname(packageJsonPath) : process.cwd(),
           ignoreExitCode: pm.audit.ignoreExitCode,
         });
         return [depGroup, pm.audit.unifyResult(stdout)];

packages/plugin-js-packages/src/lib/runner/runner.integration.test.ts

@@ -12,7 +12,7 @@ describe('createRunnerConfig', () => {
       checks: ['audit'],
       auditLevelMapping: defaultAuditLevelMapping,
       dependencyGroups: ['prod', 'dev'],
-      packageJsonPaths: ['package.json'],
+      packageJsonPath: 'package.json',
     });
     expect(runnerConfig).toStrictEqual<RunnerConfig>({
       command: 'node',
@@ -32,7 +32,7 @@ describe('createRunnerConfig', () => {
       checks: ['outdated'],
       dependencyGroups: ['prod', 'dev'],
       auditLevelMapping: { ...defaultAuditLevelMapping, moderate: 'error' },
-      packageJsonPaths: ['package.json'],
+      packageJsonPath: 'package.json',
     };
     const { configFile } = await createRunnerConfig(
       'executeRunner.ts',

packages/plugin-js-packages/src/lib/runner/utils.ts

@@ -1,13 +1,10 @@
-import path from 'node:path';
 import {
-  crawlFileSystem,
   objectFromEntries,
   objectToKeys,
   readJsonFile,
 } from '@code-pushup/utils';
 import type { AuditResult, Vulnerability } from './audit/types.js';
 import {
-  type DependencyGroupLong,
   type DependencyTotals,
   type PackageJson,
   dependencyGroupLong,
@@ -54,41 +51,18 @@ export function filterAuditResult(
   };
 }
 
-// TODO: use .gitignore
-export async function findAllPackageJson(): Promise<string[]> {
-  return (
-    await crawlFileSystem({
-      directory: '.',
-      pattern: /(^|[\\/])package\.json$/,
-    })
-  ).filter(
-    filePath =>
-      !filePath.startsWith(`node_modules${path.sep}`) &&
-      !filePath.includes(`${path.sep}node_modules${path.sep}`) &&
-      !filePath.startsWith(`.nx${path.sep}`),
-  );
-}
-
 export async function getTotalDependencies(
-  packageJsonPaths: string[],
+  packageJsonPath: string,
 ): Promise<DependencyTotals> {
-  const parsedDeps = await Promise.all(
-    packageJsonPaths.map(readJsonFile<PackageJson>),
-  );
+  const parsedDeps = await readJsonFile<PackageJson>(packageJsonPath);
 
-  const mergedDeps = parsedDeps.reduce<Record<DependencyGroupLong, string[]>>(
-    (acc, depMapper) =>
-      objectFromEntries(
-        dependencyGroupLong.map(group => {
-          const deps = depMapper[group];
-          return [
-            group,
-            [...acc[group], ...(deps == null ? [] : objectToKeys(deps))],
-          ];
-        }),
-      ),
-    { dependencies: [], devDependencies: [], optionalDependencies: [] },
+  const mergedDeps = objectFromEntries(
+    dependencyGroupLong.map(group => {
+      const deps = parsedDeps[group];
+      return [group, deps == null ? [] : objectToKeys(deps)];
+    }),
   );
+
   return objectFromEntries(
     objectToKeys(mergedDeps).map(deps => [
       deps,

packages/plugin-js-packages/src/lib/runner/utils.unit.test.ts

@@ -4,34 +4,7 @@ import { describe, expect, it } from 'vitest';
 import { MEMFS_VOLUME } from '@code-pushup/test-utils';
 import type { AuditResult, Vulnerability } from './audit/types.js';
 import type { DependencyTotals, PackageJson } from './outdated/types.js';
-import {
-  filterAuditResult,
-  findAllPackageJson,
-  getTotalDependencies,
-} from './utils.js';
-
-describe('findAllPackageJson', () => {
-  beforeEach(() => {
-    vol.fromJSON(
-      {
-        'package.json': '',
-        [path.join('ui', 'package.json')]: '',
-        [path.join('ui', 'ng-package.json')]: '', // non-exact file match should be excluded
-        [path.join('.nx', 'cache', 'ui', 'package.json')]: '', // nx cache should be excluded
-        [path.join('node_modules', 'eslint', 'package.json')]: '', // root node_modules should be excluded
-        [path.join('ui', 'node_modules', 'eslint', 'package.json')]: '', // project node_modules should be excluded
-      },
-      MEMFS_VOLUME,
-    );
-  });
-
-  it('should return all valid package.json files (exclude .nx, node_modules)', async () => {
-    await expect(findAllPackageJson()).resolves.toEqual([
-      'package.json',
-      path.join('ui', 'package.json'),
-    ]);
-  });
-});
+import { filterAuditResult, getTotalDependencies } from './utils.js';
 
 describe('getTotalDependencies', () => {
   beforeEach(() => {
@@ -64,23 +37,20 @@ describe('getTotalDependencies', () => {
 
   it('should return correct number of dependencies', async () => {
     await expect(
-      getTotalDependencies([path.join(MEMFS_VOLUME, 'package.json')]),
+      getTotalDependencies(path.join(MEMFS_VOLUME, 'package.json')),
     ).resolves.toStrictEqual({
       dependencies: 1,
       devDependencies: 3,
       optionalDependencies: 0,
     } satisfies DependencyTotals);
   });
 
-  it('should merge dependencies for multiple package.json files', async () => {
+  it('should return dependencies for nested package.json file', async () => {
     await expect(
-      getTotalDependencies([
-        path.join(MEMFS_VOLUME, 'package.json'),
-        path.join(MEMFS_VOLUME, 'ui', 'package.json'),
-      ]),
+      getTotalDependencies(path.join(MEMFS_VOLUME, 'ui', 'package.json')),
     ).resolves.toStrictEqual({
       dependencies: 2,
-      devDependencies: 4,
+      devDependencies: 1,
       optionalDependencies: 1,
     } satisfies DependencyTotals);
   });