fix: Generate shrinkwraps for the bundled vscode

Author: edvincent

.github/workflows/ci.yaml

@@ -110,6 +110,9 @@ jobs:
           fetch-depth: 0
           submodules: true
 
+      - name: Install development tools
+        run: sudo apt install -y build-essential pkg-config g++ libx11-dev libxkbfile-dev libsecret-1-dev
+
       - name: Install quilt
         run: sudo apt update && sudo apt install quilt
 
@@ -183,6 +186,21 @@ jobs:
           name: npm-package
           path: ./package.tar.gz
 
+      # The npm artifact contains all the dependencies from node_modules,
+      # and things like yarn.lock - and doesn't need to be installed.
+      # This tarball is exactly what will be published to NPM.
+      - name: Create npm release tarball
+        run: |
+          cd release
+          yarn pack
+          mv code-server*.tgz code-server-npm-dist-tarball.tgz
+
+      - name: Upload npm release tarball
+        uses: actions/upload-artifact@v3
+        with:
+          name: code-server-npm-dist-tarball
+          path: ./release/code-server-npm-dist-tarball.tgz
+
   npm:
     # the npm-package gets uploaded as an artifact in Build
     # so we need that to complete before this runs

ci/build/build-release.sh

@@ -23,6 +23,8 @@ main() {
   bundle_code_server
   bundle_vscode
 
+  create_shrinkwraps
+
   rsync ./docs/README.md "$RELEASE_PATH"
   rsync LICENSE.txt "$RELEASE_PATH"
   rsync ./lib/vscode/ThirdPartyNotices.txt "$RELEASE_PATH"
@@ -56,16 +58,6 @@ EOF
   ) > "$RELEASE_PATH/package.json"
   rsync yarn.lock "$RELEASE_PATH"
 
-  # To ensure deterministic dependency versions (even when code-server is installed with NPM), we seed
-  # an npm-shrinkwrap file from our yarn lockfile and the current node-modules installed.
-  synp --source-file yarn.lock
-  npm shrinkwrap
-  # HACK@edvincent: The shrinkwrap file will contain the devDependencies, which by default
-  # are installed if present in a lockfile. To avoid every user having to specify --production
-  # to skip them, we carefully remove them from the shrinkwrap file.
-  json -f npm-shrinkwrap.json -I -e "Object.keys(this.dependencies).forEach(dependency => { if (this.dependencies[dependency].dev) { delete this.dependencies[dependency] } } )"
-  mv npm-shrinkwrap.json "$RELEASE_PATH"
-
   rsync ci/build/npm-postinstall.sh "$RELEASE_PATH/postinstall.sh"
 
   if [ "$KEEP_MODULES" = 1 ]; then
@@ -153,4 +145,32 @@ EOF
   popd
 }
 
+create_shrinkwraps() {
+  # yarn.lock or package-lock.json files (used to ensure deterministic versions of dependencies) are
+  # not packaged when publishing to the NPM registry.
+  # To ensure deterministic dependency versions (even when code-server is installed with NPM), we create
+  # an npm-shrinkwrap.json file from the currently installed node_modules. This ensures the versions used
+  # from development (that the yarn.lock guarantees) are also the ones installed by end-users.
+
+  # We first generate the shrinkwrap file for code-server itself
+  npm shrinkwrap
+  # HACK@edvincent: The shrinkwrap file will contain the devDependencies, which by default
+  # are installed if present in a lockfile. To avoid every user having to specify --production
+  # to skip them, we carefully remove them from the shrinkwrap file.
+  json -f npm-shrinkwrap.json -I -e "Object.keys(this.dependencies).forEach(dependency => { if (this.dependencies[dependency].dev) { delete this.dependencies[dependency] } } )"
+  mv npm-shrinkwrap.json "$RELEASE_PATH"
+
+  # Then the shrinkwrap files for the bundled VSCode
+  # We don't need to remove the devDependencies for these because we control how it's installed - and
+  # as such we can force the --production flag
+  cd lib/vscode/
+  npm shrinkwrap
+
+  cd extensions/
+  npm shrinkwrap
+
+  cd ../../..
+  mv lib/vscode/npm-shrinkwrap.json "$RELEASE_PATH/lib/vscode/npm-shrinkwrap.json"
+  mv lib/vscode/extensions/npm-shrinkwrap.json "$RELEASE_PATH/lib/vscode/extensions/npm-shrinkwrap.json"
+}
 main "$@"

ci/build/npm-postinstall.sh

@@ -90,14 +90,18 @@ symlink_asar() {
 }
 
 vscode_yarn() {
+  # NOTE@edvincent: Ideally, this should use `npm ci --production` - which is the equivalent of a
+  # frozen lockfile. NPM 6 doesn't deal well with `npm ci` and optionalDependencies (tries to install them
+  # anyway) - which are used for some Windows-only packages - so until we can upgrade to a higher version
+  # of NPM (along with Node), we rely on NPM's behavior to prefer what's on the lockfile and resolve what isn't.
   echo 'Installing Code dependencies...'
   cd lib/vscode
-  yarn --production --frozen-lockfile
+  npm install --production
 
   symlink_asar
 
   cd extensions
-  yarn --production --frozen-lockfile
+  npm install --production
 }
 
 main "$@"

package.json

@@ -60,14 +60,18 @@
     "eslint-plugin-import": "^2.18.2",
     "eslint-plugin-prettier": "^4.0.0",
     "json": "^11.0.0",
+    "minimist": "npm:minimist-lite@2.2.1",
+    "normalize-package-data": "^4.0.0",
+    "postcss": "^8.2.1",
     "prettier": "^2.2.1",
     "prettier-plugin-sh": "^0.8.0",
     "shellcheck": "^1.0.0",
     "stylelint": "^13.0.0",
     "stylelint-config-recommended": "^5.0.0",
-    "synp": "^1.9.10",
+    "trim": "^1.0.0",
     "ts-node": "^10.0.0",
-    "typescript": "^4.4.0-dev.20210528"
+    "typescript": "^4.4.0-dev.20210528",
+    "underscore": "^1.13.1"
   },
   "resolutions": {
     "ansi-regex": "^5.0.1",
@@ -106,8 +110,7 @@
     "semver": "^7.1.3",
     "split2": "^4.0.0",
     "ws": "^8.0.0",
-    "xdg-basedir": "^4.0.0",
-    "yarn": "^1.22.4"
+    "xdg-basedir": "^4.0.0"
   },
   "bin": {
     "code-server": "out/node/entry.js"