chore(ci): teach package-age check to walk pnpm-lock.yaml (#213) #242
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!242
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "213-pnpm-lock-package-ages"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
After #181 restructured Carol into a pnpm workspace, the package-age soft check silently degraded to "no new packages" — the wrapper still read
package-lock.jsonat the repo root, which no longer exists. This PR teaches it to walkpnpm-lock.yaml. Policy unchanged (mechanics-only ticket — see ADR-0022).parsePnpmLockfile(content)next to the existing npm-v3 walker. No YAML lib added: thepackages:block is regular enough to read line-by-line (top-level keys at column 0, package keys at 2-space indent), which keeps the CI script dependency-free.newPackages(base, current)now accepts either parsed npm-v3 objects OR raw pnpm-yaml strings and normalises both toMap<name, version>, so the wrapper stays shape-agnostic.package-lock.json→pnpm-lock.yamlfor both the current-file read and thegit show <baseRef>:…base read.// NOTE (ticket #181)block dropped from the wrapper.Parser shape
Handles all the v9 / v6 / scoped / peer-dep variants present in our lockfile:
Cut at the first
(rather than balancing parens — we only need the name+version prefix.Sample script output against the live lockfile
Test plan
pnpm install --frozen-lockfilepnpm -F @carol/api test— 568 passing (35 in the package-ages file: 16 new for the pnpm parser + 2 new fornewPackagesstring-input mode)pnpm -F @carol/api-client test— 16 passingpnpm -F @carol/client test— 29 passingLinks
pnpm-lock.yamlin its checkout comment (#181 follow-up); now the script matches🤖 Generated with Claude Code
📊 Test coverage
Patch coverage: no testable lines changed.
Overall (
app/,lib/,db/, excluding UI per ADR-0019):Soft thresholds per ADR-0019. Coverage is informational and does not block merge.
Trivy (container image)
Threshold:
high· Total findings: 121 · At/above threshold: 16.27.0, 7.28.0, 8.5.0