Skip to content

[rush-lib] Hash full shrinkwrap entry to detect sub-dependency resolution changes #5468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 26, 2025
Merged

[rush-lib] Hash full shrinkwrap entry to detect sub-dependency resolution changes #5468

merged 4 commits into from
Nov 26, 2025
+141 −51

Conversation

Copy link
Contributor

Copilot AI commented Nov 25, 2025
edited
Loading

Summary

Fixed the issue where _getIntegrityForPackage and _addDependencyRecursive were using resolution.integrity when available, which doesn't capture changes to sub-dependency resolutions. Now the full shrinkwrap entry is always hashed, ensuring any change to dependency resolution is detected by build orchestrators.

Details

Changed both _getIntegrityForPackage (workspace path) and _addDependencyRecursive (legacy path) to always hash the full shrinkwrapEntry object instead of using resolution.integrity directly:

  • The full entry includes dependencies, optionalDependencies, and resolution, capturing any resolution changes
  • Preserved existing encoding formats (base64 in PnpmShrinkwrapFile.ts, hex in PnpmProjectShrinkwrapFile.ts) for backward compatibility

Code Review Notes:
Two pre-existing concerns were identified:

  1. Encoding inconsistency: PnpmShrinkwrapFile.ts uses base64 while PnpmProjectShrinkwrapFile.ts uses hex. This inconsistency existed before this change and was preserved for backward compatibility.
  2. JSON.stringify order: Property order is maintained by ES2015+ JavaScript and the YAML parser provides deterministic output, so this is acceptable.

How it was tested

  • All 528 existing tests pass
  • Added test case verifying different sub-dependency resolutions produce different integrity hashes
  • Updated snapshot expectations to reflect new hash format

Impacted documentation

None

Original prompt

The logic in PnpmShrinkwrapFile._getIntegrityForPackage does not produce a new hash for a package if the resolutions of its dependencies change. Consider the scenario where:
Importer depends on foo@1 depends on [email protected]
Importer depends on bar@2 depends on [email protected]
Importer depends on baz@3 depends on [email protected]

If the resolution of baz@3>qux changes from [email protected] to [email protected], this will currently not manifest as a change to the shrinkwrap-deps.json file, which means that build orchestrators that rely on this tool to detect changes to resolution will not detect a change and will assume outputs are constant, even if a downstream bundler that follows the import graph will produce different output.

It should suffice for the entry in shrinkwrap-deps.json to contain a hash of the full package entry from the shrinkwrap file, since this will contain both the integrity hash and all resolutions of sub-dependencies.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@github-project-automation github-project-automation bot moved this to Needs triage in Bug Triage Nov 25, 2025
@dmichon-msft
fix: hash full shrinkwrap entry to detect sub-dependency resolution c…
22c1bca 
…hanges

The logic in _getIntegrityForPackage and _addDependencyRecursive was using
resolution.integrity when available, which does not capture changes to
sub-dependency resolutions. This change ensures the entire shrinkwrap entry
is hashed, including the dependencies field which reflects resolved versions.

Co-authored-by: dmichon-msft <[email protected]>
Copilot AI changed the title [WIP] Fix integrity hash generation for dependency resolution changes [rush-lib] Hash full shrinkwrap entry to detect sub-dependency resolution changes Nov 25, 2025
Copilot AI requested a review from dmichon-msft November 25, 2025 20:24
Copilot finished work on behalf of dmichon-msft November 25, 2025 20:24
@dmichon-msft
Copy link
Contributor

dmichon-msft commented Nov 25, 2025

@copilot Run rush change --no-fetch --bulk --bump-type minor --message "${description of the change}" to generate the necessary change file.

Copy link
Contributor Author

Copilot AI commented Nov 25, 2025

@copilot Run rush change --no-fetch --bulk --bump-type minor --message "${description of the change}" to generate the necessary change file.

Generated the change file in commit 57b7def.

Copilot finished work on behalf of dmichon-msft November 25, 2025 21:30
@dmichon-msft dmichon-msft marked this pull request as ready for review November 25, 2025 22:40
Copilot finished work on behalf of dmichon-msft November 25, 2025 23:49
Copilot AI requested a review from dmichon-msft November 25, 2025 23:49
@dmichon-msft dmichon-msft merged commit f1bdedd into main Nov 26, 2025
12 checks passed
@dmichon-msft dmichon-msft deleted the copilot/fix-resolutions-dependency-hash branch November 26, 2025 23:26
@github-project-automation github-project-automation bot moved this from Needs triage to Closed in Bug Triage Nov 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@D4N14L D4N14L D4N14L approved these changes

@bmiddha bmiddha bmiddha approved these changes

@iclanton iclanton Awaiting requested review from iclanton iclanton is a code owner

@octogonz octogonz Awaiting requested review from octogonz octogonz is a code owner

@apostolisms apostolisms Awaiting requested review from apostolisms apostolisms is a code owner

@dmichon-msft dmichon-msft Awaiting requested review from dmichon-msft dmichon-msft is a code owner

Assignees

@dmichon-msft dmichon-msft

Copilot code review Copilot

Labels

None yet

Projects

Bug Triage
Status: Closed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dmichon-msft @D4N14L @bmiddha