fix: Generate shrinkwraps for the bundled vscode

Author: edvincent

ci/build/build-release.sh

@@ -56,16 +56,6 @@ EOF
   ) > "$RELEASE_PATH/package.json"
   rsync yarn.lock "$RELEASE_PATH"
 
-  # To ensure deterministic dependency versions (even when code-server is installed with NPM), we seed
-  # an npm-shrinkwrap file from our yarn lockfile and the current node-modules installed.
-  synp --source-file yarn.lock
-  npm shrinkwrap
-  # HACK@edvincent: The shrinkwrap file will contain the devDependencies, which by default
-  # are installed if present in a lockfile. To avoid every user having to specify --production
-  # to skip them, we carefully remove them from the shrinkwrap file.
-  json -f npm-shrinkwrap.json -I -e "Object.keys(this.dependencies).forEach(dependency => { if (this.dependencies[dependency].dev) { delete this.dependencies[dependency] } } )"
-  mv npm-shrinkwrap.json "$RELEASE_PATH"
-
   rsync ci/build/npm-postinstall.sh "$RELEASE_PATH/postinstall.sh"
 
   if [ "$KEEP_MODULES" = 1 ]; then

ci/build/build-standalone-release.sh

@@ -29,6 +29,46 @@ main() {
 
   cd "$RELEASE_PATH"
   yarn --production --frozen-lockfile
+
+  create_shrinkwraps
+}
+
+create_production_shrinkwrap() {
+  npm shrinkwrap
+
+  # HACK@edvincent: The shrinkwrap file will contain the devDependencies, which by default
+  # are installed if present in a lockfile. To avoid every user having to specify --production
+  # to skip them, we carefully remove them from the shrinkwrap file.
+  json -f npm-shrinkwrap.json -I -e "Object.keys(this.dependencies).forEach(dependency => { if (this.dependencies[dependency].dev) { delete this.dependencies[dependency] } } )"
+
+  # HACK@edvincent: We create the shrinkwrap file from the installed node_modules folder.
+  # Installing node-addon-api also creates an auto-generated folder under @parcel/node-addon-api for gyp,
+  # but this actually does not have a package.json (nor it's a package that can be fetched from the repository).
+  # Thus `npm shrinkwrap` doesn't know how to generate a lock entry for it, and leaves it empty - which then
+  # breaks any subsequent install. We manually remove it, as on every install it will be auto-generated.
+  json -f npm-shrinkwrap.json -I -e "if (this.dependencies['@parcel/node-addon-api'] == {}) { delete this.dependencies['@parcel/node-addon-api'] }"
+}
+
+create_shrinkwraps() {
+  # yarn.lock or package-lock.json files (used to ensure deterministic versions of dependencies) are
+  # not packaged when publishing to the NPM registry.
+  # To ensure deterministic dependency versions (even when code-server is installed with NPM), we create
+  # an npm-shrinkwrap.json file from the currently installed node_modules. This ensures the versions used
+  # from development (that the yarn.lock guarantees) are also the ones installed by end-users.
+
+  # We first generate the shrinkwrap file for code-server itself - from being in $RELEASE_PATH
+  create_production_shrinkwrap
+
+  # Then the shrinkwrap files for the bundled VSCode
+  # We don't need to remove the devDependencies for these because we control how it's installed - and
+  # as such we can force the --production flag
+  cd lib/vscode/
+  create_production_shrinkwrap
+
+  cd extensions/
+  create_production_shrinkwrap
+
+  cd ../../
 }
 
 main "$@"

ci/build/npm-postinstall.sh

@@ -66,7 +66,7 @@ main() {
     echo "Failed to download cloud agent; --link will not work"
   fi
 
-  if ! vscode_yarn; then
+  if ! vscode_install; then
     echo "You may not have the required dependencies to build the native modules."
     echo "Please see https://github.com/coder/code-server/blob/master/docs/npm.md"
     exit 1
@@ -89,15 +89,41 @@ symlink_asar() {
   fi
 }
 
-vscode_yarn() {
+install_with_yarn_or_npm() {
+  # NOTE@edvincent: We want to keep using the package manager that the end-user was using to install the package.
+  # This also ensures that when *we* run `yarn` in the development process, the yarn.lock file is used.
+  case "${npm_config_user_agent-}" in
+      yarn*)
+        yarn --production --frozen-lockfile
+      ;;
+      npm*)
+        if [ -f "yarn.lock" ]; then
+          echo "yarn.lock file present, yarn should be used rather than npm"
+          exit 1
+        else
+          # NOTE@edvincent: Ideally, this should use `npm ci --production` - which is the equivalent of a
+          # frozen lockfile. NPM 6 doesn't deal well with `npm ci` and optionalDependencies (tries to install them
+          # anyway) - which are used for some Windows-only packages - so until we can upgrade to a higher version
+          # of NPM (along with Node), we rely on NPM's behavior to prefer what's on the lockfile and resolve what isn't.
+          npm install --production
+        fi
+      ;;
+      *)
+        echo "Could not determine which package manager is being used to install code-server"
+        exit 1
+      ;;
+  esac
+}
+
+vscode_install() {
   echo 'Installing Code dependencies...'
   cd lib/vscode
-  yarn --production --frozen-lockfile
+  install_with_yarn_or_npm
 
   symlink_asar
 
   cd extensions
-  yarn --production --frozen-lockfile
+  install_with_yarn_or_npm
 }
 
 main "$@"

package.json

@@ -61,14 +61,18 @@
     "eslint-plugin-import": "^2.18.2",
     "eslint-plugin-prettier": "^4.0.0",
     "json": "^11.0.0",
+    "minimist": "npm:minimist-lite@2.2.1",
+    "normalize-package-data": "^4.0.0",
+    "postcss": "^8.2.1",
     "prettier": "^2.2.1",
     "prettier-plugin-sh": "^0.10.0",
     "shellcheck": "^1.0.0",
     "stylelint": "^13.0.0",
     "stylelint-config-recommended": "^5.0.0",
-    "synp": "^1.9.10",
+    "trim": "^1.0.0",
     "ts-node": "^10.0.0",
-    "typescript": "^4.4.0-dev.20210528"
+    "typescript": "^4.4.0-dev.20210528",
+    "underscore": "^1.13.1"
   },
   "resolutions": {
     "ansi-regex": "^5.0.1",
@@ -107,8 +111,7 @@
     "semver": "^7.1.3",
     "split2": "^4.0.0",
     "ws": "^8.0.0",
-    "xdg-basedir": "^4.0.0",
-    "yarn": "^1.22.4"
+    "xdg-basedir": "^4.0.0"
   },
   "bin": {
     "code-server": "out/node/entry.js"