We currently have lockfile support in the installer via https://github.com/jspm/generator/blob/main/src/install/installer.ts#L60 along with the install option freeze
, which when used will even freeze any updates of dependencies from that provided lockfile.
It would be great to expose this option to the Generator
constructor so that users could pass a custom lockfile.
The lock format is currently typed at https://github.com/jspm/generator/blob/main/src/install/installer.ts#L36, and takes the following form:
{
"file:///path/to/pkg/": {
"dep": "https://ga.jspm.io/npm:pkg@version/"
}
}
The main base URL used can just be generator.baseUrl
for the local resolutions. It is effectively the URL of the package.json folder that defines the dependencies.
It is important that all URLs are fully normalized - thus the initial input into the lockfile system needs to deal with normalization into this format.
The standard library resolutions for Node.js use a special symbol |
in the lockfile to indicate packages that are installed to export values.
For example, fs would be written:
{
"file:///path/to/baseurl/": {
"fs": "https://ga.jspm.io/npm:@jspm/[email protected]/|fs"
}
}
Which ensures that it will always resolve to the correct environment fs library against the JSPM core package on the CDN. This is the only exception case to worry about.
To generate this lock format from an input map should be relatively straightforward based on effectively just iterating over the import map and collecting the resolutions.
We could then automatically support treating a file with "imports"
or "scopes"
as an import map input, versus the direct lockfile
input. We could possibly even handle automatic support for npm and Yarn lockfile formats as further work in future but that isn't necessary for the MVP.
Steps:
- Expose
"lockfile"
option, supporting this format exactly, just with an iteration that converts all URLs into absolute URLs relative to the baseUrl
of the generator so that a proper normalized lockfile
is passed in.
- Support detecting
"imports"
and "scopes"
on this object then converting an import map input into this same lockfile format through an iterative reduction. For a given URL https://path/to/module.js
, to determine the package boundary, there is already a resolver.getPackageBase(url)
function which can be reliably used for any URL in a way that works with the provider hooks properly.
- Profit!