From a30727df369bd904e2cb05eb5bde3e191da1726a Mon Sep 17 00:00:00 2001 From: Erik Marks <25517051+rekmarks@users.noreply.github.com> Date: Tue, 3 Mar 2026 16:25:45 -0800 Subject: [PATCH 1/2] fix: prevent non-private packages from having private workspace production deps Add a yarn constraint that errors when a published (`@metamask/`) package lists a private (`@ocap/`) workspace package in production dependencies (`dependencies` or `peerDependencies`) via the `workspace:` protocol. Co-Authored-By: Claude Sonnet 4.6 --- yarn.config.cjs | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/yarn.config.cjs b/yarn.config.cjs index 5dfe8f8a3..44e91f085 100644 --- a/yarn.config.cjs +++ b/yarn.config.cjs @@ -169,6 +169,9 @@ module.exports = defineConfig({ // All non-root package must have valid "changelog:update" and // "changelog:validate" scripts. expectCorrectWorkspaceChangelogScripts(workspace); + + // Non-private packages must not have production dependencies on private workspace packages. + expectNoPrivateWorkspaceProductionDependencies(Yarn, workspace); } // Non-published packages must not specify the following keys except from the ones that are exempted @@ -827,6 +830,36 @@ function expectConsistentDependenciesAndDevDependencies(Yarn) { } } +/** + * Expect that non-private workspace packages do not have production + * dependencies (anything except `devDependencies`) using the `workspace:` + * protocol that resolve to private packages. + * + * @param {Yarn} Yarn - The Yarn "global". + * @param {Workspace} workspace - The workspace to check. + */ +function expectNoPrivateWorkspaceProductionDependencies(Yarn, workspace) { + for (const dependency of Yarn.dependencies({ workspace })) { + if (dependency.type === 'devDependencies') { + continue; + } + + if (!dependency.range.startsWith('workspace:')) { + continue; + } + + const dependencyWorkspace = Yarn.workspace({ ident: dependency.ident }); + if ( + dependencyWorkspace !== null && + dependencyWorkspace.manifest.private === true + ) { + dependency.error( + `Non-private package "${workspace.manifest.name}" must not depend on private package "${dependency.ident}" in "${dependency.type}"`, + ); + } + } +} + /** * Expect that the workspace has a README.md file, and that it is a non-empty * string. The README.md is expected to: From 782e72c3661bbab4f4ce64e7a6f4949dd325dc1e Mon Sep 17 00:00:00 2001 From: Erik Marks <25517051+rekmarks@users.noreply.github.com> Date: Tue, 3 Mar 2026 17:21:10 -0800 Subject: [PATCH 2/2] fix: Always run public / private dep constraint for public packages --- yarn.config.cjs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/yarn.config.cjs b/yarn.config.cjs index 44e91f085..1666ae474 100644 --- a/yarn.config.cjs +++ b/yarn.config.cjs @@ -126,6 +126,11 @@ module.exports = defineConfig({ expectWorkspaceLicense(workspace); } + if (!isPrivate) { + // Non-private packages must not depend on private packages. + expectNoPrivateWorkspaceProductionDependencies(Yarn, workspace); + } + if (!isPrivate && !exportsExceptions.includes(workspaceBasename)) { // The entrypoints for all published packages must be the same. expectWorkspaceField(workspace, 'module', './dist/index.mjs'); @@ -169,9 +174,6 @@ module.exports = defineConfig({ // All non-root package must have valid "changelog:update" and // "changelog:validate" scripts. expectCorrectWorkspaceChangelogScripts(workspace); - - // Non-private packages must not have production dependencies on private workspace packages. - expectNoPrivateWorkspaceProductionDependencies(Yarn, workspace); } // Non-published packages must not specify the following keys except from the ones that are exempted