chore(ci): teach package-age check to walk pnpm-lock.yaml #213

Closed
opened 2026-06-21 16:37:10 +00:00 by james · 0 comments
Owner

Context

After the pnpm-workspaces restructure (#181), scripts/ci/check-package-ages.mjs no longer finds package-lock.json at the repo root and silently degrades to "no new packages." The <30-day package-age soft signal (ADR-0022) is effectively off in CI today. The signal is soft so the gap does not block merge, but the gate is no longer doing its documented job.

Source

  • CLAUDE.md "Package-age policy" bullet: "(The check currently reads npm package-lock.json format; pnpm-lock.yaml support is a follow-up after #181.)"
  • scripts/ci/check-package-ages.mjs lines 10-14: "NOTE (ticket #181): after the pnpm-workspaces restructure, this script no longer finds package-lock.json at the repo root and silently degrades to no new packages. Teaching the helper to walk pnpm-lock.yaml is a follow-up ticket; the policy is a soft signal so the gap is recoverable without merging risk."
  • PR #195 ("Out-of-scope follow-ups"): "Teach scripts/lib/package-ages.mjs to walk pnpm-lock.yaml so the package-age soft check resumes catching new packages on PRs."

Scope

  • Extend scripts/lib/package-ages.mjs extractPackagesFromLockfile to parse pnpm-lock.yaml v6/v9 format in addition to npm v3 package-lock.json.
  • Update scripts/ci/check-package-ages.mjs to read pnpm-lock.yaml instead of package-lock.json, and git show <baseRef>:pnpm-lock.yaml for the base.
  • Resolve registry URLs for each pnpm-lock entry (pnpm lockfile records npm: registry by default; private registries / aliases need handling).
  • Add pure-function unit tests for the new pnpm parser path against fixture lockfiles (small inline pnpm-lock.yaml snippets).
  • Confirm CI re-flags freshly-introduced young packages on a synthetic PR (e.g. bump a transitive).

Acceptance criteria

  • pnpm -F or root-level invocation of node scripts/ci/check-package-ages.mjs against the workspace produces the same offender set that the pre-#181 npm script did.
  • Unit tests cover npm and pnpm lockfile parsing paths.
  • A synthetic PR introducing a young package surfaces the sticky CI comment.
  • CLAUDE.md "Package-age policy" bullet is updated to drop the "follow-up after #181" caveat.

Composes with

  • ADR-0022 (the policy itself is unchanged; this is mechanics-only).
  • #181 (workspace restructure)
## Context After the pnpm-workspaces restructure (#181), `scripts/ci/check-package-ages.mjs` no longer finds `package-lock.json` at the repo root and silently degrades to "no new packages." The <30-day package-age soft signal (ADR-0022) is effectively off in CI today. The signal is soft so the gap does not block merge, but the gate is no longer doing its documented job. ## Source - CLAUDE.md "Package-age policy" bullet: *"(The check currently reads npm package-lock.json format; pnpm-lock.yaml support is a follow-up after #181.)"* - `scripts/ci/check-package-ages.mjs` lines 10-14: *"NOTE (ticket #181): after the pnpm-workspaces restructure, this script no longer finds package-lock.json at the repo root and silently degrades to no new packages. Teaching the helper to walk pnpm-lock.yaml is a follow-up ticket; the policy is a soft signal so the gap is recoverable without merging risk."* - PR #195 ("Out-of-scope follow-ups"): *"Teach scripts/lib/package-ages.mjs to walk pnpm-lock.yaml so the package-age soft check resumes catching new packages on PRs."* ## Scope - Extend `scripts/lib/package-ages.mjs` `extractPackagesFromLockfile` to parse pnpm-lock.yaml v6/v9 format in addition to npm v3 `package-lock.json`. - Update `scripts/ci/check-package-ages.mjs` to read `pnpm-lock.yaml` instead of `package-lock.json`, and `git show <baseRef>:pnpm-lock.yaml` for the base. - Resolve registry URLs for each pnpm-lock entry (pnpm lockfile records `npm:` registry by default; private registries / aliases need handling). - Add pure-function unit tests for the new pnpm parser path against fixture lockfiles (small inline pnpm-lock.yaml snippets). - Confirm CI re-flags freshly-introduced young packages on a synthetic PR (e.g. bump a transitive). ## Acceptance criteria - [ ] `pnpm -F` or root-level invocation of `node scripts/ci/check-package-ages.mjs` against the workspace produces the same offender set that the pre-#181 npm script did. - [ ] Unit tests cover npm and pnpm lockfile parsing paths. - [ ] A synthetic PR introducing a young package surfaces the sticky CI comment. - [ ] CLAUDE.md "Package-age policy" bullet is updated to drop the "follow-up after #181" caveat. ## Composes with - ADR-0022 (the policy itself is unchanged; this is mechanics-only). - #181 (workspace restructure)
james closed this issue 2026-06-23 13:14:06 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#213
No description provided.