Skip to content

test: use verdaccio for e2e init testing #4100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
erickzhao merged 18 commits into from
Dec 18, 2025
Merged

test: use verdaccio for e2e init testing #4100

erickzhao merged 18 commits into from
Dec 18, 2025

Conversation

@erickzhao
Copy link
Member

@erickzhao erickzhao commented Dec 16, 2025
edited
Loading

Our init tests have a release blocking issue at the moment

Given:

  • Our npm trusted publishing workflow relies on yarn lerna:version, which bumps all versions in Electron Forge to the next semantic release version without tagging or releasing.
  • The git tag/npm release flow for this new release only gets triggered once the PR is merged.

Then:

  • The init tests run against the current build of Forge. They will attempt to install an unreleased version for any version bump PR and the tests will fail.

For an example of this in action, see #4094.

Solution

Verdaccio is an npm proxy registry. This PR adds a new spawn-verdaccio.ts tool script that runs a new instance of the registry on localhost and runs the lerna publish command on Forge with the --registry flag pointing to Verdaccio.

Then, the script will attempt to run any command that it's fed through args with an additional set of environment variables to correctly point the package manager to Verdaccio (NPM_CONFIG_REGISTRY, YARN_NPM_REGISTRY_SERVER, YARN_UNSAFE_HTTP_WHITELIST).

Alternatives considered

Initially, I tried to modify initLink to point all Forge deps to file: protocol. This worked fine with npm, but fell apart a bit with Yarn and pnpm when dealing with the workspace: protocol (albeit I also tried to wire up local node_modules dependencies via file: protocol as well and that caused more issues).

In the end, I chose the Verdaccio solution since it's package manager-agnostic. It's not a perfect replacement for initLink since it doesn't respond to changes in the original JavaScript code (it just tarballs the dist folder), but works well in tests and CI.

Caveats

  • Running lerna publish (even to Verdaccio) requires a clean working tree, so you'll need to commit all changes before running yarn test:verdaccio. Any tests that leave committable artifacts will also mess up the Verdaccio tests because Lerna will be unable to publish.
    • For example, running yarn config set dynamically in CI will cause these tests to fail because it modifies .yarnrc.yml on the fly.
  • Only the init tests currently run against Verdaccio, but there might be room in the future to do so with other tests that install deps (e.g. TypeScript template tests).

@socket-security
Copy link

socket-security bot commented Dec 16, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedverdaccio@​6.2.49610010097100

View full report

@socket-security
Copy link

socket-security bot commented Dec 16, 2025
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

  • jws@3.2.3

View full report

@erickzhao erickzhao marked this pull request as ready for review December 17, 2025 00:26
@erickzhao erickzhao requested a review from a team as a code owner December 17, 2025 00:26
@erickzhao erickzhao requested a review from a team December 17, 2025 00:26
@erickzhao erickzhao changed the title test: use verdaccio for e2e testing test: use verdaccio for e2e init testing Dec 17, 2025
@erickzhao erickzhao added the next label Dec 17, 2025
@erickzhao
Copy link
Member Author

erickzhao commented Dec 17, 2025

Note that this PR is also blocking releases in main, so I'll be backporting the work shortly.

@erickzhao
Copy link
Member Author

erickzhao commented Dec 17, 2025

@SocketSecurity ignore npm/jws@3.2.3 seems fine

@erickzhao erickzhao requested a review from VerteDinde December 18, 2025 03:05
@erickzhao erickzhao enabled auto-merge (squash) December 18, 2025 03:07
@erickzhao erickzhao merged commit 1d783a4 into next Dec 18, 2025
11 checks passed
@erickzhao erickzhao deleted the verdaccio branch December 18, 2025 03:49
erickzhao added a commit that referenced this pull request Dec 18, 2025
@erickzhao
test: use verdaccio for e2e init testing (#4100)
bca8d72
@erickzhao erickzhao mentioned this pull request Dec 18, 2025
Merged
erickzhao added a commit that referenced this pull request Dec 18, 2025
@erickzhao
test: use verdaccio for e2e init testing (#4100)
4f522a6
erickzhao added a commit that referenced this pull request Dec 18, 2025
@erickzhao
test: use verdaccio for e2e init testing (#4100)
4fe21ad
github-merge-queue bot pushed a commit that referenced this pull request Dec 19, 2025
@erickzhao
test: backport test improvements from next (#4106)
4d67a7a 
* test(slow): test api against `file:` protocol fixtures (#4087)

* test(slow): simplify bootstrapping tests (#4096)

* test: use verdaccio for e2e init testing (#4100)

* zzz

* gg
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@VerteDinde VerteDinde VerteDinde approved these changes

Assignees

No one assigned

Labels

next

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erickzhao @VerteDinde