Add danger check for duplicate yarn dependencies

This danger check utilises `yarn-deduplicate` in order to show duplicate dependencies in the yarn.lock dependency tree. Often when introducing new dependencies or updating existing ones, yarn does not seem to build the most optimal dependency tree. In order to prevent those unnecessary dependency updates we are nudging developers and maintainers to resolve these issues in MRs. Automating this with danger especially helps, as yarn.lock files are not that easy to review.
author: Lukas Eipert <leipert@gitlab.com> 2018-09-07 13:20:06 +0200
committer: Lukas Eipert <leipert@gitlab.com> 2018-12-17 09:58:39 +0100
commit: 243bd56f9db95a29deaec9ff093b2ff8d02f82ee (patch)
tree: 437d20ccde414ff8e9650283276bca0b6279a494
parent: 8b4602041cf2c4a8738a4796d78720017249249f (diff)
download: gitlab-ce-243bd56f9db95a29deaec9ff093b2ff8d02f82ee.tar.gz
4 files changed, 45 insertions, 2 deletions
diff --git a/Dangerfile b/Dangerfile
index 469e77b2514..6a2c5cf2773 100644
--- a/Dangerfile
+++ b/Dangerfile
@@ -8,5 +8,6 @@ danger.import_dangerfile(path: 'danger/database')
 danger.import_dangerfile(path: 'danger/documentation')
 danger.import_dangerfile(path: 'danger/frozen_string')
 danger.import_dangerfile(path: 'danger/commit_messages')
+danger.import_dangerfile(path: 'danger/duplicate_yarn_dependencies')
 danger.import_dangerfile(path: 'danger/prettier')
 danger.import_dangerfile(path: 'danger/eslint')
diff --git a/danger/duplicate_yarn_dependencies/Dangerfile b/danger/duplicate_yarn_dependencies/Dangerfile
new file mode 100644
index 00000000000..25f81ec86a4
--- /dev/null
+++ b/danger/duplicate_yarn_dependencies/Dangerfile
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+return unless helper.all_changed_files.include? 'yarn.lock'
+
+duplicate = `node_modules/.bin/yarn-deduplicate --list --strategy fewer yarn.lock`
+             .split(/$/)
+             .map(&:strip)
+             .reject(&:empty?)
+
+return if duplicate.empty?
+
+warn 'This merge request has introduced duplicated yarn dependencies.'
+
+markdown(<<~MARKDOWN)
+  ## Duplicate yarn dependencies
+
+  The following dependencies should be de-duplicated:
+
+  * #{duplicate.map { |path| "`#{path}`" }.join("\n* ")}
+
+  Please run the following command and commit the changes to `yarn.lock`:
+
+  ```
+  node_modules/.bin/yarn-deduplicate --strategy fewer yarn.lock \\
+    && yarn install
+  ```
+MARKDOWN
diff --git a/package.json b/package.json
index cf7e43f14dd..44423c97722 100644
--- a/package.json
+++ b/package.json
@@ -158,7 +158,8 @@
     "nodemon": "^1.18.4",
     "prettier": "1.15.2",
     "vue-jest": "^3.0.1",
-    "webpack-dev-server": "^3.1.10"
+    "webpack-dev-server": "^3.1.10",
+    "yarn-deduplicate": "^1.0.5"
   },
   "engines": {
     "yarn": "^1.10.0"
diff --git a/yarn.lock b/yarn.lock
index a6b43f785dc..999293bce56 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -900,6 +900,11 @@
   resolved "https://registry.yarnpkg.com/@xtuc/long/-/long-4.2.1.tgz#5c85d662f76fa1d34575766c5dcd6615abcd30d8"
   integrity sha512-FZdkNBDqBRHKQ2MEbSC17xnPFOhZxeJ2YGSfr2BKf3sujG49Qe3bB+rGCwQfIaA7WHnGeGkSijX4FuBCdrzW/g==
 
+"@yarnpkg/lockfile@^1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@yarnpkg/lockfile/-/lockfile-1.1.0.tgz#e77a97fbd345b76d83245edcd17d393b1b41fb31"
+  integrity sha512-GpSwvyXOcOOlV70vbnzjj4fW5xW/FdUF6nQEt1ENy7m4ZCczi1+/buVUPAqmGfqznsORNFzUMjctTIp8a9tuCQ==
+
 abab@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/abab/-/abab-2.0.0.tgz#aba0ab4c5eee2d4c79d3487d85450fb2376ebb0f"
@@ -2301,7 +2306,7 @@ combined-stream@^1.0.6, combined-stream@~1.0.6:
   dependencies:
     delayed-stream "~1.0.0"
 
-commander@2, commander@^2.18.0, commander@^2.19.0:
+commander@2, commander@^2.10.0, commander@^2.18.0, commander@^2.19.0:
   version "2.19.0"
   resolved "https://registry.yarnpkg.com/commander/-/commander-2.19.0.tgz#f6198aa84e5b83c46054b94ddedbfed5ee9ff12a"
   integrity sha512-6tvAOO+D6OENvRAh524Dh9jcfKTYDQAqvqezbCW82xj5X0pSrcpxtvRKHLG0yBY6SD7PSDrJaj+0AiOcKVd1Xg==
@@ -10450,6 +10455,15 @@ yargs@^11.0.0:
     y18n "^3.2.1"
     yargs-parser "^9.0.2"
 
+yarn-deduplicate@^1.0.5:
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/yarn-deduplicate/-/yarn-deduplicate-1.0.5.tgz#e56016f1c29e77e323f401ea838f5e8c7cdbfd42"
+  integrity sha512-4nds6N7dxuXcfUZAVaSUVSlI4TvwEdMaZg/DRBf/KM3iFezNBdkhcTYptcwKaecAYAfVxx3g0Ex21kssSr8YsA==
+  dependencies:
+    "@yarnpkg/lockfile" "^1.1.0"
+    commander "^2.10.0"
+    semver "^5.3.0"
+
 yeast@0.1.2:
   version "0.1.2"
   resolved "https://registry.yarnpkg.com/yeast/-/yeast-0.1.2.tgz#008e06d8094320c372dbc2f8ed76a0ca6c8ac419"
author	Lukas Eipert <leipert@gitlab.com>	2018-09-07 13:20:06 +0200
committer	Lukas Eipert <leipert@gitlab.com>	2018-12-17 09:58:39 +0100
commit	243bd56f9db95a29deaec9ff093b2ff8d02f82ee (patch)
tree	437d20ccde414ff8e9650283276bca0b6279a494
parent	8b4602041cf2c4a8738a4796d78720017249249f (diff)
download	gitlab-ce-243bd56f9db95a29deaec9ff093b2ff8d02f82ee.tar.gz