Merge pull request #485 from github/npm-workspaces

Initial support for npm workspaces

docs/sources/npm.md

@@ -2,7 +2,7 @@
 
 The npm source will detect dependencies `package.json` is found at an apps `source_path`.  It uses `npm list` to enumerate dependencies and metadata.
 
-### Including development dependencies
+## Including development dependencies
 
 By default, the npm source will exclude all development dependencies. To include development or test dependencies, set `production_only: false` in the licensed configuration.
 
@@ -10,3 +10,13 @@ By default, the npm source will exclude all development dependencies. To include
 npm:
   production_only: false
 ```
+
+## Using licensed with npm workspaces
+
+Licensed requires npm version 8.5.0 or later to enumerate dependencies inside of npm workspaces.  For the best results, treat each workspace directory as a separate app `source_path`:
+
+```yml
+apps:
+  - source_path: path/to/workspace/a
+  - source_path: path/to/workspace/b
+```

lib/licensed/sources/npm.rb

@@ -24,11 +24,13 @@ module Licensed
       end
 
       def enabled?
-        Licensed::Shell.tool_available?("npm") && File.exist?(config.pwd.join("package.json"))
+        Licensed::Shell.tool_available?("npm") && File.exist?(package_json_path)
       end
 
       def enumerate_dependencies
         packages.map do |name, package|
+          next if package["name"] == project_name
+
           errors = package["problems"] unless package["path"]
           Dependency.new(
             name: name,
@@ -159,6 +161,26 @@ module Licensed
       def extract_version(parent, name)
         parent&.dig("_dependencies", name) || peer_dependency(parent, name)
       end
+
+      # Returns the current projects name
+      def project_name
+        return unless package_json
+        package_json["name"]
+      end
+
+      ## Returns the parse package.json for the current project
+      def package_json
+        return unless File.exist?(package_json_path)
+
+        @package_json ||= JSON.parse(File.read(package_json_path))
+      rescue JSON::ParserError => e
+        message = "Licensed was unable to parse package.json. JSON Error: #{e.message}"
+        raise Licensed::Sources::Source::Error, message
+      end
+
+      def package_json_path
+        @package_json_path ||= File.join(config.pwd, "package.json")
+      end
     end
   end
 end

test/fixtures/npm/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "fixtures",
+  "name": "licensed-fixtures",
   "version": "1.0.0",
   "dependencies": {
     "@github/query-selector": "1.0.3",
@@ -11,6 +11,9 @@
   "devDependencies": {
     "string.prototype.startswith": "0.2.0"
   },
+  "workspaces": [
+    "packages/a"
+  ],
   "description": "npm test fixture",
   "repository": "https://github.com/github/licensed",
   "license": "MIT"

test/fixtures/npm/packages/a/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "licensed-fixtures-a",
+  "version": "1.0.0",
+  "description": "",
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "callbackify": "1.1.0"
+  }
+}

test/sources/npm_test.rb

@@ -135,6 +135,31 @@ if Licensed::Shell.tool_available?("npm")
           end
         end
       end
+
+      describe "from a workspace" do
+        let(:fixtures) { File.expand_path("../../fixtures/npm/packages/a", __FILE__) }
+
+        it "finds dependencies" do
+          # workspaces will only work as expected with npm > 8.5.0
+          skip if source.npm_version < Gem::Version.new("8.5.0")
+
+          Dir.chdir fixtures do
+            dep = source.dependencies.detect { |d| d.name == "callbackify" }
+            assert dep
+            assert_equal "npm", dep.record["type"]
+            assert_equal "1.1.0", dep.version
+          end
+        end
+
+        it "does not include the current workspace project" do
+          # workspaces will only work as expected with npm > 8.5.0
+          skip if source.npm_version < Gem::Version.new("8.5.0")
+
+          Dir.chdir fixtures do
+            refute source.dependencies.detect { |d| d.name == "licensed-fixtures-a" }
+          end
+        end
+      end
     end
 
     describe "missing dependencies (glob is missing package)" do