What is npm Workspaces?
Setting up a npm Workspaces
To get started with npm workspaces, you need npm version 7 or later. Once you have it installed, navigate to your project's root directory and create a package.json file if you don't already have one. Add the following configuration in the package.json file:
In this example, packages/* is the pattern that specifies where the workspace packages are located. You can customize this pattern based on your project structure. The workspace configuration can take any glob pattern to include a directory. With this configuration in place `npm install` will always maintain a single package-lock.json file that has the dependency tree information of all the packages in the workspace. The npm install can be run anywhere within the workspace and not just at the root of the workspace and the behavior will be the same.
Importance of npm Workspaces
Streamlined Development Process
By grouping related packages in a monorepo, npm workspaces provide a single source of truth for all dependencies of the project. This streamlines the development process and reduces the risk of version conflicts or mismatched dependencies between packages.
Simplified Dependency Management
With npm workspaces, you can share dependencies between packages. Instead of having multiple copies of the same dependency across different packages, npm workspaces will hoist common dependencies to the root of the monorepo, saving disk space and avoiding redundancy. This will reduce the build time as well if npm is not configured to use cache.
Simplified CI/CD Pipelines
With a monorepo and npm workspaces, setting up Continuous Integration/Continuous Deployment (CI/CD) pipelines becomes more straightforward. CI/CD processes can be triggered once for the entire monorepo, testing all packages together, ensuring better code coverage, and avoiding individual package issues.
Easier Code Refactoring and Collaboration
Developers can easily refactor code across packages since they all reside in the same repository. This promotes collaboration between team members and helps to maintain code quality and standards throughout the project.
Since there is just one package-lock.json file in the entire monorepo no matter how many packages are there, It makes the life of SCA tools easy to just examine one lock file to get the dependency tree of the entire monorepo. This results in a much faster dependency discovery and saves a lot of time when the SCA tool is added in CI.
How does Endor Labs work with the npm/yarn workspaces?
Endor Labs supports workspaces transparently—no additional configuration is required to scan your projects that use workspaces.