Skip to content

feat: consolidate package manager to pnpm on gapic-generator-typescript#8365

Merged
quirogas merged 5 commits into
googleapis:mainfrom
quirogas:feat/pkg-mgr-consolidation
Jun 3, 2026
Merged

feat: consolidate package manager to pnpm on gapic-generator-typescript#8365
quirogas merged 5 commits into
googleapis:mainfrom
quirogas:feat/pkg-mgr-consolidation

Conversation

@quirogas

@quirogas quirogas commented May 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This pull request consolidated the package manager used by gapic-generator-typescript.

@quirogas quirogas self-assigned this May 27, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 27, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a pnpm-workspace.yaml file to define the workspace root directory for the gapic-generator-typescript generator. There are no review comments to address, and I have no additional feedback to provide.

@quirogas quirogas marked this pull request as ready for review May 27, 2026 15:57
@quirogas quirogas requested a review from a team as a code owner May 27, 2026 15:57
@pearigee

pearigee commented May 27, 2026

Copy link
Copy Markdown
Contributor

I think we should keep these lockfiles (except maybe yarn)

I think consolidating around a package manager is a bit more complicated than deleting these lockfiles.

At minimum, I think we NEED to have lock files for NPM (to cover automation and our customers) and PNPM (to cover our automation).

Lockfiles are most useful as a mitigation against supply chain attacks (we are going to be adding them everywhere in the near future). Deleting them exposes us to more risk. Simply running npm install is a major security risk these days UNLESS our versions are strictly defined in a lockfile. For example:

Consolidation is mostly a CI/Automation problem

To consolidate around a single package manager, the key challenge is actually in our automation (GitHub Actions, GCB, Docker Containers, BazelBot, etc.). These automations use a mixture of PNPM and NPM. Note, that modern supply chain attacks are specifically designed to compromise CI (i.e. with Docker escape mechanisms). As a result, we probably need to keep a NPM and PNPM lock around.

Here are a few usage examples:

pearigee
pearigee reviewed May 27, 2026
View reviewed changes
Comment thread core/generator/gapic-generator-typescript/pnpm-workspace.yaml Outdated
@quirogas quirogas requested a review from pearigee June 1, 2026 23:51
@quirogas

quirogas commented Jun 1, 2026

Copy link
Copy Markdown
Contributor Author

Since the CI pipeline still requires the other package-lock file, I have reverted all changes except for the deletion of the yarn-lock file.

@quirogas quirogas mentioned this pull request Jun 1, 2026
Open
@quirogas quirogas merged commit 5c16c62 into googleapis:main Jun 3, 2026
31 checks passed
@quirogas quirogas deleted the feat/pkg-mgr-consolidation branch June 3, 2026 05:50
@release-please release-please Bot mentioned this pull request Jun 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pearigee pearigee pearigee approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@quirogas quirogas

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@quirogas @pearigee