Skip to content

deps: add corepack

Rodrigo Muino Tomonari requested to merge github/fork/arcanis/mael/corepack into master

This PR is a follow-up to https://github.com/nodejs/node/pull/35398, where discussions were more about the idea than the implementation. With that out of the way after the vote in https://github.com/nodejs/TSC/issues/1012#issuecomment-828776990, I updated the branch with the latest Corepack release on top of the Node trunk.

What is Corepack?

Corepack provides a way for Node project authors to define the package manager they intend to use inside their projects - both in terms of package manager type (Yarn, pnpm, ...) and version (x.y.z). This prevents a class of problem where a contributor would use a different version of a package manager than their colleagues and would thus be subject to ever so slightly different environments (due to new bugs, fixed bugs, or different feature sets).

Corepack got approved for inclusion in https://github.com/nodejs/TSC/issues/1012#issuecomment-828776990.

How does Corepack work?

The sources are located inside nodejs/corepack. The gist is that Corepack installs "jumpers" next to the Node binary (just like what already happens for the npm and npx binaries) for the supported package managers (binaries are currently pnpm, pnpx, yarn, and yarnpkg, plus an extra one for corepack itself). They thus become exposed through the $PATH environment variable. Once called, these jumpers look into the local folder to find the top-most package.json, and read the packageManager field from them. Depending on the result:

  • If no packageManager field exists, the requested version is assumed to be the defaults ones in the Corepack configuration.
  • If a packageManager field exists, then it's used as the requested version.

Corepack then ensures that the given package manager is in its cache, downloading it if necessary, and runs it transparently.

How does it affect npm?

It doesn't have any effect on npm. While I wrote the code for Corepack to support npm (or any other package manager), the codepath isn't enabled and won't be until the npm team feels comfortable enabling it themselves. As such, the only two package managers currently impacted are Yarn and pnpm, which have both manifested interest in this project.

What are the risks?

The risks are low, even for Yarn & pnpm users. Corepack is currently opt-in: the shims won't be generated until users explicitly run the corepack enable command in their terminal. The goal is to gather information during the lifetime of Node 16 to then be able to make an informed decision regarding how to proceed in future releases.

Merge request reports