Merge pull request #1606 from salesforcecli/d/W-21064297

feat: enforces that only pinned dependencies should be pinned @W-21064297@

Author: iowillhoit

src/commands/cli/release/build.ts

@@ -7,7 +7,7 @@
 
 import { promisify } from 'node:util';
 import { exec as execSync, ExecException } from 'node:child_process';
-import { arrayWithDeprecation, Flags, SfCommand, Ux } from '@salesforce/sf-plugins-core';
+import { Flags, SfCommand, Ux } from '@salesforce/sf-plugins-core';
 import { ensureString } from '@salesforce/ts-types';
 import { Env } from '@salesforce/kit';
 import { Octokit } from '@octokit/core';
@@ -51,8 +51,10 @@ export default class build extends SfCommand<void> {
       default: true,
       allowNo: true,
     }),
-    only: arrayWithDeprecation({
+    only: Flags.string({
       summary: messages.getMessage('flags.only.summary'),
+      multiple: true,
+      delimiter: ',',
     }),
     'pinned-deps': Flags.boolean({
       summary: messages.getMessage('flags.pinned-deps.summary'),

src/package.ts

@@ -214,8 +214,10 @@ export class Package extends AsyncOptionalCreatable {
         // find dependency in package.json (could be an npm alias)
         const depInfo = this.getDependencyInfo(name, { ...dependencies, ...resolutions, ...jitPlugins });
 
+        const shouldPin: boolean = this.shouldPinDependency(depInfo.packageName);
+
         // if a version is not provided, we'll look up the "latest" version
-        depInfo.finalVersion = version ?? this.getDistTags(depInfo.packageName).latest;
+        depInfo.finalVersion = `${shouldPin ? '' : '^'}${version ?? this.getDistTags(depInfo.packageName).latest}`;
 
         // return if version did not change
         if (depInfo.currentVersion === depInfo.finalVersion) return;
@@ -341,6 +343,17 @@ export class Package extends AsyncOptionalCreatable {
       'dist-tags': {},
     };
   }
+
+  private shouldPinDependency(dependencyName: string): boolean {
+    const pinnedDependencies: string[] = this.packageJson.pinnedDependencies ?? [];
+    const jitDependencies: string[] = this.packageJson.oclif?.jitPlugins
+      ? Object.keys(this.packageJson.oclif.jitPlugins)
+      : [];
+
+    const dependenciesThatShouldBePinned = [...pinnedDependencies, ...jitDependencies];
+
+    return dependenciesThatShouldBePinned.includes(dependencyName);
+  }
 }
 
 const getNameAndTag = (plugin: string): [name: string, tag: string | undefined] => {

test/package.test.ts

@@ -130,6 +130,7 @@ describe('Package', () => {
             '@salesforce/plugin-config': '1.2.3',
             'left-pad': '1.1.1',
           },
+          pinnedDependencies: ['@salesforce/plugin-config'],
           resolutions: {
             '@salesforce/source-deploy-retrieve': '1.0.0',
           },
@@ -149,70 +150,85 @@ describe('Package', () => {
     });
     it('should look up latest version if not provided', async () => {
       const pkg = await Package.create();
-      const results = pkg.bumpDependencyVersions(['@salesforce/plugin-config', '@salesforce/jit-me']);
+      const results = pkg.bumpDependencyVersions(['@salesforce/plugin-config', '@salesforce/jit-me', 'left-pad']);
 
       expect(results).to.deep.equal([
         {
           packageName: '@salesforce/plugin-config',
           currentVersion: '1.2.3',
+          // Dependency should be pinned because it is listed in `pinnedDependencies`
           finalVersion: '9.9.9',
         },
         {
           packageName: '@salesforce/jit-me',
           currentVersion: '1.0.0',
+          // Dependency should be pinned, even though it's not in `pinnedDependencies`, because it's in `oclif.jitPlugins`
           finalVersion: '9.9.9',
         },
+        {
+          packageName: 'left-pad',
+          currentVersion: '1.1.1',
+          // Dependency should be unpinned because it is not listed in `pinnedDependencies`
+          finalVersion: '^9.9.9',
+        },
       ]);
     });
 
     it('should used passed in version', async () => {
       const pkg = await Package.create();
-      const results = pkg.bumpDependencyVersions(['@salesforce/plugin-config@11.0.0']);
+      const results = pkg.bumpDependencyVersions(['@salesforce/plugin-config@11.0.0', 'left-pad@11.0.0']);
 
       expect(results).to.deep.equal([
         {
           packageName: '@salesforce/plugin-config',
           currentVersion: '1.2.3',
+          // Dependency should be pinned because it's in `pinnedDependencies`
           finalVersion: '11.0.0',
         },
+        {
+          packageName: 'left-pad',
+          currentVersion: '1.1.1',
+          // Dependency should be unpinned because it's not in `pinnedDependencies`
+          finalVersion: '^11.0.0',
+        },
       ]);
     });
 
-    it('should work with non-namespaced package', async () => {
+    it('should unpin a not-explicitly-pinned version even if it is already up-to-date', async () => {
       const pkg = await Package.create();
-      const results = pkg.bumpDependencyVersions(['left-pad']);
+      const results = pkg.bumpDependencyVersions(['left-pad@11.0.0']);
 
       expect(results).to.deep.equal([
         {
           packageName: 'left-pad',
           currentVersion: '1.1.1',
-          finalVersion: '9.9.9',
+          finalVersion: '^11.0.0',
         },
       ]);
     });
 
-    it('should return an empty array if all versions are already up to date', async () => {
+    it('should return an empty array if all bumped versions are already up to date', async () => {
       const pkg = await Package.create();
       const results = pkg.bumpDependencyVersions(['@salesforce/plugin-config@1.2.3']);
 
       expect(results).to.deep.equal([]);
     });
 
-    it('should update dependencies in package.json', async () => {
+    it('should update unpinned dependencies in package.json to unpinned version', async () => {
       const pkg = await Package.create();
-      pkg.bumpDependencyVersions(['@salesforce/plugin-config@3.3.3']);
+      pkg.bumpDependencyVersions(['left-pad@3.3.3']);
 
-      expect(pkg.packageJson.dependencies['@salesforce/plugin-config']).to.equal('3.3.3');
+      expect(pkg.packageJson.dependencies['left-pad']).to.equal('^3.3.3');
     });
 
-    it('should update resolutions in package.json', async () => {
+    it('should update resolutions in package.json to unpinned version', async () => {
       const pkg = await Package.create();
       pkg.bumpDependencyVersions(['@salesforce/source-deploy-retrieve@1.0.1']);
       assert(pkg.packageJson.resolutions);
-      expect(pkg.packageJson.resolutions['@salesforce/source-deploy-retrieve']).to.equal('1.0.1');
+      expect(pkg.packageJson.resolutions['@salesforce/source-deploy-retrieve']).to.equal('^1.0.1');
     });
 
-    it('should update jit in package.json', async () => {
+    it('should update jit in package.json to pinned version', async () => {
       const pkg = await Package.create();
       pkg.bumpDependencyVersions(['@salesforce/jit-me@1.0.1']);
       assert(pkg.packageJson.oclif?.jitPlugins);