in src/snippet-dependencies.ts [198:274]
export async function prepareDependencyDirectory(deps: Record<string, CompilationDependency>): Promise<string> {
const concreteDirs = Object.values(deps)
.filter(isConcrete)
.map((x) => x.resolvedDirectory);
const monorepoPackages = await scanMonoRepos(concreteDirs);
const tmpDir = await fsPromises.mkdtemp(path.join(os.tmpdir(), 'rosetta'));
logging.info(`Preparing dependency closure at ${tmpDir} (-vv for more details)`);
// Resolved symbolic packages against monorepo
const resolvedDeps = mkDict(
Object.entries(deps).map(([name, dep]) => [
name,
dep.type === 'concrete'
? dep
: ((monorepoPackages[name]
? { type: 'concrete', resolvedDirectory: monorepoPackages[name] }
: dep) as CompilationDependency),
]),
);
const dependencies: Record<string, string> = {};
for (const [name, dep] of Object.entries(resolvedDeps)) {
if (isConcrete(dep)) {
logging.debug(`${name} -> ${dep.resolvedDirectory}`);
dependencies[name] = `file:${dep.resolvedDirectory}`;
} else {
logging.debug(`${name} @ ${dep.versionRange}`);
dependencies[name] = dep.versionRange;
}
}
await fsPromises.writeFile(
path.join(tmpDir, 'package.json'),
JSON.stringify(
{
name: 'examples',
version: '0.0.1',
private: true,
dependencies,
},
undefined,
2,
),
{
encoding: 'utf-8',
},
);
// Run NPM install on this package.json.
cp.execSync(
[
'npm install',
// We need to include --force for packages
// that have a symbolic version in the symlinked dev tree (like "0.0.0"), but have
// actual version range dependencies from externally installed packages (like "^2.0.0").
'--force',
// this is critical from a security perspective to prevent
// code execution as part of the install command using npm hooks. (e.g postInstall)
'--ignore-scripts',
// save time by not running audit
'--no-audit',
// ensures npm does not insert anything in $PATH
'--no-bin-links',
// don't write or update a package-lock.json file
'--no-package-lock',
// only print errors
`--loglevel error`,
].join(' '),
{
cwd: tmpDir,
encoding: 'utf-8',
},
);
return tmpDir;
}