Faster SCA with Endor Labs and npm Workspaces
As projects grow larger and more complex, developers face challenges in maintaining a clean and efficient development workflow. Fortunately, npm workspaces offer an essential solution to streamline JavaScript development. In this blog post, we will explore the concept of npm/yarn workspaces, its importance, and how Endor Labs works with them.
As projects grow larger and more complex, developers face challenges in maintaining a clean and efficient development workflow. Fortunately, npm workspaces offer an essential solution to streamline JavaScript development. In this blog post, we will explore the concept of npm/yarn workspaces, its importance, and how Endor Labs works with them.
As projects grow larger and more complex, developers face challenges in maintaining a clean and efficient development workflow. Fortunately, npm workspaces offer an essential solution to streamline JavaScript development. In this blog post, we will explore the concept of npm/yarn workspaces, its importance, and how Endor Labs works with them.
As projects grow larger and more complex, developers face challenges in maintaining a clean and efficient development workflow. Fortunately, npm workspaces offer an essential solution to streamline JavaScript development. In this blog post, we will explore the concept of npm/yarn workspaces, its importance, and how Endor Labs works with them.
As projects grow larger and more complex, developers face challenges in maintaining a clean and efficient development workflow. Fortunately, npm workspaces offer an essential solution to streamline JavaScript development. In this blog post, we will explore the concept of npm/yarn workspaces, its importance, and how Endor Labs works with them.
Introduction
Modern JavaScript projects often involve managing multiple packages, dependencies, and repositories. As projects grow larger and more complex, developers face challenges in maintaining a clean and efficient development workflow. Fortunately, npm workspaces offer an essential solution to streamline JavaScript development. In this blog post, we will explore the concept of npm/yarn workspaces, its importance, and how Endor Labs works with them.
What is npm Workspaces?
Workspaces is a feature introduced in npm version 7 that allows developers to manage multiple packages within a monorepo. A monorepo is a single repository that contains multiple packages, each representing a different component or module of a larger application. Instead of having separate lock files for each package, npm workspaces keep the dependency tree in a single lock file for all the packages within a workspace that helps streamline the dependency management in a large javascript monorepo setup.
Setting up a npm Workspaces
To get started with npm workspaces, you need npm version 7 or later. Once you have it installed, navigate to your project's root directory and create a package.json file if you don't already have one. Add the following configuration in the package.json file:
In this example, packages/* is the pattern that specifies where the workspace packages are located. You can customize this pattern based on your project structure. The workspace configuration can take any glob pattern to include a directory. With this configuration in place `npm install` will always maintain a single package-lock.json file that has the dependency tree information of all the packages in the workspace. The npm install can be run anywhere within the workspace and not just at the root of the workspace and the behavior will be the same.
Importance of npm Workspaces
Streamlined Development Process
By grouping related packages in a monorepo, npm workspaces provide a single source of truth for all dependencies of the project. This streamlines the development process and reduces the risk of version conflicts or mismatched dependencies between packages.
Simplified Dependency Management
With npm workspaces, you can share dependencies between packages. Instead of having multiple copies of the same dependency across different packages, npm workspaces will hoist common dependencies to the root of the monorepo, saving disk space and avoiding redundancy. This will reduce the build time as well if npm is not configured to use cache.
Atomic Versioning
All packages within an npm workspace share the same version number. When one package is updated all of them are updated. This ensures consistency and prevents scenarios where one package lags behind in updates. This is useful in a typical JavaScript monorepo setup.
Simplified CI/CD Pipelines
With a monorepo and npm workspaces, setting up Continuous Integration/Continuous Deployment (CI/CD) pipelines becomes more straightforward. CI/CD processes can be triggered once for the entire monorepo, testing all packages together, ensuring better code coverage, and avoiding individual package issues.
Easier Code Refactoring and Collaboration
Developers can easily refactor code across packages since they all reside in the same repository. This promotes collaboration between team members and helps to maintain code quality and standards throughout the project.
Faster SCA
Since there is just one package-lock.json file in the entire monorepo no matter how many packages are there, It makes the life of SCA tools easy to just examine one lock file to get the dependency tree of the entire monorepo. This results in a much faster dependency discovery and saves a lot of time when the SCA tool is added in CI.
How does Endor Labs work with the npm/yarn workspaces?
Endor Labs supports workspaces transparently—no additional configuration is required to scan your projects that use workspaces.
Endor Labs scans are performed by executing the `endorctl` command-line tool in development and CI/CD pipelines. When a project is scanned with endorctl it picks up the workspace configuration from the package.json no matter if you are using npm or yarn workspaces. It does `npm install --package-lock-only` for npm and `yarn install` for yarn managed projects just once at the root of the workspace to create the lock file if no existing lock file is found. It then uses the lock file to effectively build the whole dependency graph and report the vulnerability related findings on the Endor Labs platform UI. you can read more about how to scan javascript projects with endorctl here.
Conclusion
npm workspaces provide a powerful approach to managing multiple packages within a single monorepo, streamlining JavaScript/Typescript development. By using npm workspaces, developers can simplify dependency management, streamline the development process, and enhance collaboration among team members. Embracing this modern development workflow can significantly improve productivity and code maintainability, making it an essential tool for managing large-scale JavaScript projects. If you haven't explored npm workspaces yet, it's time to consider adopting it to take your JavaScript development to the next level. Happy coding, Cheers!