Skip to content

chore: add onlyBuiltDependencies after installing amazon-cognito-identity-js #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jonathan-nicoletti wants to merge 1 commit into
base: t3code/claris-id-support
Choose a base branch
from
Open

chore: add onlyBuiltDependencies after installing amazon-cognito-identity-js #215

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,18 @@
"qs": "^6.14.1",
"vite": "^6.4.1",
"body-parser": "^2.2.1"
}
},
"onlyBuiltDependencies": [
"@parcel/watcher",
"@prisma/client",
"@prisma/engines",
"better-sqlite3",
"es5-ext",
"esbuild",
"msgpackr-extract",
"msw",
"prisma",
"sharp"
]
Comment on lines +61 to +72
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

LOCKFILE="$(fd -HI '^pnpm-lock\.yaml$' | head -n1)"
if [[ -z "${LOCKFILE:-}" ]]; then
  echo "pnpm-lock.yaml not found"
  exit 1
fi

python - <<'PY'
import json, re, pathlib, sys

pkg = json.loads(pathlib.Path("package.json").read_text())
allow = set(pkg.get("pnpm", {}).get("onlyBuiltDependencies", []))

lock_path = pathlib.Path("pnpm-lock.yaml")
if not lock_path.exists():
    # fallback if lockfile is not at repo root
    import subprocess
    found = subprocess.check_output(
        ["bash", "-lc", "fd -HI '^pnpm-lock\\.yaml$' | head -n1"],
        text=True
    ).strip()
    if not found:
        print("pnpm-lock.yaml not found")
        sys.exit(1)
    lock_path = pathlib.Path(found)

lines = lock_path.read_text(encoding="utf-8", errors="ignore").splitlines()

in_packages = False
current_key = None
requires_build = set()

key_re = re.compile(r"^\s{2}(?:'([^']+)'|\"([^\"]+)\"|([^:\s][^:]*)):\s*$")
req_re = re.compile(r"^\s{4}requiresBuild:\s*true\s*$")

for line in lines:
    if line.strip() == "packages:":
        in_packages = True
        current_key = None
        continue
    if in_packages and re.match(r"^\S", line):  # next top-level section
        in_packages = False
        current_key = None
    if not in_packages:
        continue

    km = key_re.match(line)
    if km:
        current_key = next(g for g in km.groups() if g)
        continue

    if current_key and req_re.match(line):
        base = current_key.split("(")[0]  # remove peer suffixes
        if base.startswith("@"):
            m = re.match(r"^(@[^/]+/[^@]+)@", base)
        else:
            m = re.match(r"^([^@]+)@", base)
        if m:
            requires_build.add(m.group(1))

missing = sorted(requires_build - allow)
stale = sorted(allow - requires_build)

print(f"Lockfile: {lock_path}")
print(f"requiresBuild packages: {len(requires_build)}")
print(f"allowlist packages: {len(allow)}")

print("\nMissing from pnpm.onlyBuiltDependencies:")
for name in missing:
    print(f"  - {name}")

print("\nPresent in pnpm.onlyBuiltDependencies but not lockfile requiresBuild:")
for name in stale:
    print(f"  - {name}")

# Fail only on missing entries; stale entries can be cleaned up separately.
if missing:
    sys.exit(2)
PY

Repository: proofsh/proofkit

Length of output: 398

🏁 Script executed:

fd -HI '^pnpm-lock\.yaml$' -exec wc -l {} \;

Repository: proofsh/proofkit

Length of output: 246

🏁 Script executed:

fd -HI '^pnpm-lock\.yaml$' -exec head -100 {} \;

Repository: proofsh/proofkit

Length of output: 248

🏁 Script executed:

rg 'requiresBuild:\s*true' pnpm-lock.yaml -A 2 -B 2 | head -50

Repository: proofsh/proofkit

Length of output: 42

🏁 Script executed:

ls -lah pnpm-lock.yaml

Repository: proofsh/proofkit

Length of output: 123

🏁 Script executed:

head -200 pnpm-lock.yaml

Repository: proofsh/proofkit

Length of output: 7770

🏁 Script executed:

rg 'prisma|sharp|esbuild|better-sqlite3' pnpm-lock.yaml | head -20

Repository: proofsh/proofkit

Length of output: 1145

🏁 Script executed:

cat -n package.json | sed -n '1,100p'

Repository: proofsh/proofkit

Length of output: 2703

🏁 Script executed:

rg '@parcel/watcher|@prisma/client|@prisma/engines|better-sqlite3|es5-ext|esbuild|msgpackr-extract|msw|prisma|sharp' package.json

Repository: proofsh/proofkit

Length of output: 260

🏁 Script executed:

rg 'prisma|esbuild|sharp|better-sqlite3|msgpackr|@parcel/watcher|msw|es5-ext|@prisma' packages/ apps/ --type json -l | head -10

Repository: proofsh/proofkit

Length of output: 115

🏁 Script executed:

grep -r "prisma\|esbuild\|sharp" packages/*/package.json apps/*/package.json 2>/dev/null | head -20

Repository: proofsh/proofkit

Length of output: 567

Review allowlist for accuracy before adding CI checks (Lines 61-72).

The onlyBuiltDependencies allowlist includes 10 packages, but only prisma-related packages appear as direct dependencies in subpackages. Packages like sharp, esbuild, better-sqlite3, @parcel/watcher, and others are not found in any package.json. Additionally, the lockfile contains zero requiresBuild entries, meaning a CI check comparing the allowlist to lockfile markers would report all 10 entries as extraneous.

Before implementing the suggested verification script, audit the allowlist to confirm which packages actually require builds and should remain in the configuration.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 61 - 72, The onlyBuiltDependencies allowlist
contains packages that aren't present or marked as requiring builds in our repo
(see onlyBuiltDependencies array), so audit and shrink this list: inspect the
monorepo package.json files and the lockfile to find packages with
requiresBuild/hasNativeBuild flags (or that are direct dev/prod dependencies),
remove entries not referenced (e.g., sharp, esbuild, better-sqlite3,
`@parcel/watcher`, msgpackr-extract, msw, es5-ext unless you confirm they truly
require a build), and keep only genuine build-dependent packages (likely the
`@prisma/`* entries if confirmed). After updating the onlyBuiltDependencies array,
run the verification script/CI locally against the lockfile to ensure no false
positives and commit the cleaned list.

}
}