[Bug]: rules_js 3.x: generated npm package dir no longer includes LICENSE.md / README.md

[davido]

What happened?

After upgrading from aspect_rules_js 2.9.2 to 3.x, the generated npm package directory for marked no longer contains LICENSE.md and README.md.

This appears to be a regression introduced in rules_js 3.x.

Version

3.0.0, 3.0.1, 3.0.2 and 3.0.3 are affected.

How to reproduce

MODULE.bazel:

bazel_dep(name = "aspect_bazel_lib", version = "2.22.5")
bazel_dep(name = "aspect_rules_js", version = "3.0.3")
#bazel_dep(name = "aspect_rules_js", version = "2.9.2")
bazel_dep(name = "rules_nodejs", version = "6.7.4")

npm = use_extension("@aspect_rules_js//npm:extensions.bzl", "npm")

npm.npm_translate_lock(
    name = "npm",
    pnpm_lock = "//:pnpm-lock.yaml",
)

use_repo(npm, "npm")

BUILD.bazel

load("@npm//:defs.bzl", "npm_link_all_packages")

npm_link_all_packages(name = "node_modules")

filegroup(
    name = "marked_dir",
    srcs = [":node_modules/marked/dir"],
)

genrule(
    name = "list_marked_files",
    srcs = [":marked_dir"],
    outs = ["marked-files.txt"],
    cmd = "find -L $(locations :marked_dir) -type f | sort > $@",
)

package.json:

{
  "name": "repro",
  "private": true,
  "packageManager": "pnpm@10.33.0",
  "dependencies": {
    "marked": "17.0.6"
  }
}

pnpm-workspace.yaml

onlyBuiltDependencies: []

ppm-lock.yaml:

lockfileVersion: '9.0'

settings:
  autoInstallPeers: true
  excludeLinksFromLockfile: false

importers:

  .:
    dependencies:
      marked:
        specifier: 17.0.1
        version: 17.0.1

packages:

  marked@17.0.1:
    resolution: {integrity: sha512-boeBdiS0ghpWcSwoNm/jJBwdpFaMnZWRzjA6SkUMYb40SVaN1x7mmfGKp0jvexGcx+7y2La5zRZsYFZI6Qpypg==}
    engines: {node: '>= 20'}
    hasBin: true

snapshots:

  marked@17.0.1: {}

On rules_js 3.0.3:

$ bazelisk build  :list_marked_files
INFO: Analyzed target //:list_marked_files (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //:list_marked_files up-to-date:
  bazel-bin/marked-files.txt
INFO: Elapsed time: 0.120s, Critical Path: 0.00s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
✔ ~/projects/marked_missing_files_reproduces
15:51 $ cat bazel-bin/marked-files.txt | grep LICENSE
# no match

On rules_js 2.9.2:

$ bazelisk build  :list_marked_files
INFO: Analyzed target //:list_marked_files (67 packages loaded, 483 targets configured).
INFO: Found 1 target...
Target //:list_marked_files up-to-date:
  bazel-bin/marked-files.txt
INFO: Elapsed time: 5.691s, Critical Path: 0.10s
INFO: 3 processes: 1 internal, 2 darwin-sandbox.
INFO: Build completed successfully, 3 total actions
✔ ~/projects/marked_missing_files_reproduces
15:52 $ cat bazel-bin/marked-files.txt | grep LICENSE
bazel-out/darwin_x86_64-fastbuild/bin/node_modules/.aspect_rules_js/marked@17.0.1/node_modules/marked/LICENSE.md

Expected behaviour:

LICENSE.md
README.md

are included.

Any other information?

This breaks license aggregation and compliance tooling that relies on scanning node_modules, e.g.: license collectors.

Bazel-based license pipelines (e.g. Gerrit’s node_modules_licenses).

See this change upstream for more details.

[davido]

User visible change: f62a25e

One more detail that seems worth calling out: there is currently no easy user-facing way to say “keep the default basic preset, but do not exclude *.md”.

From reading the implementation, presets are additive only. A user can choose a different preset list, or replace exclusions with a fully custom list, but cannot subtract a single pattern from the built-in "basic" preset. In practice, that means there is no simple configuration-only workaround for keeping LICENSE.md / README.md while preserving the rest of the default "basic" exclusions.

That is why the only practical workaround I found was patching rules_js itself to remove *.md from the default preset.

It looks like what is missing here is a way to subtract individual patterns from a built-in preset. For example, something along the lines of:

npm.npm_exclude_package_contents(
    package = "marked",
    presets = ["basic"],
    disable_patterns = ["*.md"],
)

Right now presets appear to be additive only, so there is no straightforward way to say “use basic, except keep markdown files”.

There is a configuration-only workaround without patching rules_js, but it is awkward: copy the current "basic" preset into a local patterns list, remove *.md, and use it with presets = [] for the affected package(s).

NPM_EXCLUDE_PATTERN_NO_MD = [
    "Makefile",
    "Gulpfile.js",
    [...]
    ".yarn-metadata.json",
    ".travis.yml",
]

npm.npm_exclude_package_contents(
    package = "marked",
    presets = [],
    patterns = NPM_EXCLUDE_PATTERN_NO_MD, 
)

That works, but it duplicates the built-in preset and can drift if upstream changes "basic". So I think this is still best treated as a bug/regression in the default behavior, or alternatively a missing feature for subtracting patterns from presets.

This patch fixed it:

exclude_package_contents_presets.patch

$ git diff npm/private/exclude_package_contents_presets.bzl
diff --git a/npm/private/exclude_package_contents_presets.bzl b/npm/private/exclude_package_contents_presets.bzl
index cfacded6..3f24b451 100644
--- a/npm/private/exclude_package_contents_presets.bzl
+++ b/npm/private/exclude_package_contents_presets.bzl
@@ -24,9 +24,6 @@ _DEFAULT = [
     ".documentup.json",
     ".yarn-metadata.json",
     ".travis.yml",
-
-    # misc (files)
-    "*.md",
 ]

 # Yarn autoclean exclusions

Adding this as a temporary patch to MODULE.bazel:

single_version_override(
    module_name = "aspect_rules_js",
    version = "3.0.3",
    patches = [":exclude_package_contents_presets.patch"],
    patch_strip = 1,
)

Now the lost markdown license files are back:

$ bazel build list_marked_files
INFO: Analyzed target //:list_marked_files (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //:list_marked_files up-to-date:
  bazel-bin/marked-files.txt
INFO: Elapsed time: 0.162s, Critical Path: 0.00s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
✔ ~/projects/marked_missing_files_reproduces

16:57 $ grep LICENSE bazel-bin/marked-files.txt
bazel-out/darwin_x86_64-fastbuild/bin/node_modules/.aspect_rules_js/marked@18.0.1/node_modules/marked/LICENSE.md

[jbedard]

This doesn't seem worth adding to the API surface such as the disable_patterns idea. If you don't want the default behaviour you can override it with ~3 lines.

Is rules_license effected by this in any way or just your own script?

Proper LICENSE files are not excluded, only LICENSE.md which I assume is becoming more common 👴

We could potentially split basic into multiple (maybe "ci files" and "ide files" and "junk files") so you can still maybe use the "ci files" but skip the rest?

[davido]

This doesn't seem worth adding to the API surface such as the disable_patterns idea.

Got it.

If you don't want the default behaviour you can override it with ~3 lines.

Yes, this works:

npm.npm_exclude_package_contents(
    package = "marked",
    presets = [],
)

Is rules_license effected by this in any way or just your own script?

This is our own licenses collection generation script, that is uploaded here:

https://review.opendev.org/Documentation/js_licenses.html

Proper LICENSE files are not excluded, only LICENSE.md which I assume is becoming more common

In fact, only one single package is affected marked, because their license is in Markdown:
https://github.com/markedjs/marked/blob/master/LICENSE.md

We could ask them to migrate to LICENSE.txt 😊

[jbedard]

In fact, only one single package is affected marked, because their license is in Markdown:

If it's only one then I would vote to ask them to change. If it is more common then please report back.

FWIW I'm open to improving the list or making it more convenient to opt in/out of presets, but I'd like to avoid regressions (giant CHANGELOG.md files) or complicating the API more.