Add support for pnpm as a source about licensed HOT 22 CLOSED

@jonabc using pnpm at all should be sufficient to reproduce. I just created a new package with npm init and added just one dep of ember-cli and I can reproduce the error.

sources:
  npm: true

allowed:
  - mit
  - isc
  - bsd
  - bsd-2-clause
  - bsd-3-clause
  - wtfpl
  - apache-2.0
  - cc0-1.0

pnpm 7.26.3
npm 6.14.17

from licensed.

@rwwagner90 I hear you on the pnpm source and agree that it's the best solution to the current problem. I'm just a little strapped for time. I'll try to get something put together over the next few days.

from licensed.

Ah sorry I missed documenting a difference between the npm and pnpm sources. With the pnpm source, you'll need to specify dependencies in the configuration file as <name>@<version>. This is eventually going to be the norm for all dependencies in a future major version bump, and the pnpm source is being used to lead the way and uncover any issues related to that change.

from licensed.

Perhaps there is an issue since we are using pnpm?

That would be my initial guess. I've only used pnpm a handful of times and I'm not terribly familiar with how it interacts with npm during package management, if it interacts at all.

1. What version of npm and pnpm are you using?
2. Can you provide the dependencies and devDependencies sections of your package.json so I can try to repro locally?

from licensed.

You will have to pnpm i --shamefully-hoist to get pnpm to hoist packages rather than using all symlinks.

from licensed.

Also, FYI there is a pnpm licenses ls command which will list all the licenses, so perhaps we could leverage that here?

from licensed.

Looks like something like pnpm licenses list --long --json gives us deps grouped by license types in JSON format. Could we add a source that parses that?

from licensed.

Looks like something like pnpm licenses list --long --json gives us deps grouped by license types in JSON format. Could we add a source that parses that?

I took a look and wow this is the first time I've seen a package manager provide exactly the information that's needed by this tool 😂 . A new source sounds like a good idea, I'll take a look when I get a chance but in the immediate future I'll look to fix the underlying issue with the npm source.

from licensed.

🤔 scratch the previous comment, I think pnpm might generally just be incompatible with npm CLI commands? whether I pnpm install using --shamefully-hoist or not, npm list --all --json --production --long is returning a ton of errors from what pnpm is reporting as optional dependencies. I'll try to get to creating the pnpm source sooner rather than later

I'm using npm 8.5.0 and pnpm 7.26.3

from licensed.

@jonabc you want to use pnpm commands, not npm ones. pnpm licenses list --long --json --prod would be the pnpm equivalent of what you are trying to run with npm I think. I think we should add a new source that runs the pnpm commands.

from licensed.

@rwwagner90 yep, I was trying to resolve the original issue from this ticket that talks about the npm source raising an error. the npm source doesn't use any pnpm commands

from licensed.

@jonabc fair enough. I'm not sure if it is possible to make the npm source work here though, so we should focus on pnpm. Anything I can do to help? I don't really know ruby myself, so I don't think I would have much luck implementing the source myself.

from licensed.

@jonabc is there anything we can do to be helpful in the meantime? Some of my colleagues know ruby pretty well, so perhaps we could get a PR up, but if you already know exactly what you would do here, perhaps it would be better to wait. Just let us know how we can best help!

from licensed.

@rwwagner90 if you're able to hold tight for me to get the basic structure in place that would be best. pnpm should be one of the easier package managers to integrate, but it would still probably go faster if I put in the base of the integration. once that's done I'd love any extra eyes or help with any edge cases, bugs, or improvements that come up.

is pnpm support blocking anything critical for you?

from licensed.

@jonabc not super critical. I've spent the past couple weeks getting pnpm up and running on our repos. Now all the tests are passing and such, but we're unable to run license checks, so it is blocking somewhat, but not critical.

from licensed.

@rwwagner90 I've got the basics of a source up at #626. As mentioned in the PR the only real quirk I found with pnpm was that the cli doesn't return data only for a specific workspace. The pnpm licenses list command is still not finalized though according to the documentation so it's possible that is coming soon 🤷 . It should be easy to incorporate workspaces similar to the npm source if/when the pnpm CLI supports it.

from licensed.

Awesome, thank you so much for the quick turnaround!

from licensed.

@jonabc would it be possible to get a new release with these changes? Thanks again for your help!

from licensed.

yes it is coming, I'm working through some other changes to include in the release and should have a release out today.

from licensed.

@jonabc it seems there is a bug where ignored is not working for pnpm

We have this, and some of these are showing up as not being valid, when they should instead be ignored.

ignored:
  pnpm:
    - bindings                     # MIT
    - fsevents-*                   # MIT
    - file-uri-to-path             # MIT
    - jsonify                      # Public Domain
    - nan                          # MIT
    - regenerator-transform-0.10.1 # BSD*
    - spdx-exceptions              # CC-BY-3.0

from licensed.

@jonabc thanks for the info! Does the version support globs or semver strings or anything? Like foo@* or foo@^6.0.0 etc

from licensed.

@RobbieTheWagner I've added support for version matching in #629. Note that version range matching uses Ruby's semver support which is a little different than node's semver package. I've updated the ignoring and reviewing docs in that PR with some usage hints including links to Ruby's documentation on semver support.

from licensed.