Skip to main content

Package Versioning and Publishing Requirements

"Denying access is just as important as granting it; otherwise, you're handing out keys to the kingdom."

Requirements for Versioning and Publishing Packages in a Monorepo

Functional Requirements

  1. Automated Version Bumping

    • Implement automated tools to determine and apply semantic versioning rules (major, minor, patch) based on conventional commit messages.

  2. Changelog Generation

    • Automatically generate and format changelogs, summarizing changes for each release from commit messages.

  3. GitHub Release Integration

    • Automate the creation of GitHub release entries, including links to the changelog, release notes, and associated version tags.

  4. Registry Publishing

    • Publish packages to registries (public and private), ensuring seamless integration with platforms like npm, Azure Artifacts, or GitHub Packages.

  5. Inter-Package Dependency Management

    • Ensure internal dependencies within the monorepo are updated and version-aligned during the versioning process.

  6. Pure Dependency Resolution in package.json

    • Modify package.json files to:
      • Include only pure dependencies required for the current package.
      • Synchronize internal monorepo dependencies to their correct version for simultaneous releases.

  7. Support for Monorepo Tools

    • Integrate with tools like Nx to ensure efficient package versioning, publishing workflows, and dependency graph management.

  8. First-Time Release Handling

    • Automatically assign baseline versions to packages with no previous version history to support initial releases.

  9. Pre- and Post-Publishing Hooks

    • Allow custom scripts to run during pre-publishing and post-publishing workflows for additional actions like validation or cleanup.

  10. Provenance for Builds and Publishing

    • Maintain detailed evidence for each build and publishing operation, ensuring:
      • Cryptographic verification of the integrity of artifacts (e.g., signatures).
      • Logs and metadata documenting the entire workflow.
      • Assurance that the build and publishing process remains tamper-proof and auditable for security and compliance purposes.

  11. Local Development Workflow

    • Enable developers to locally test the entire versioning and publishing process using a localized registry like Verdaccio or similar:
      • Support local package installation and dependency resolution without affecting external registries.
      • Allow local workflows to mimic the production pipeline as closely as possible.
      • Optionally prevent actual publishing during development while providing full verification of the workflow.

Non-Functional Requirements

  1. Performance

    • The workflow must handle versioning and publishing for a monorepo with hundreds of packages without significant delays.

  2. Scalability

    • Support monorepos of varying sizes, from small projects to enterprise-scale repositories with complex dependency graphs.

  3. Reliability

    • Ensure accurate versioning and dependency synchronization with minimal risk of breaking builds or dependencies.

  4. Integration

    • Support seamless integration with CI/CD pipelines to trigger builds, tests, and deployments post-publishing.

  5. Configurability

    • Allow customization of the workflow, such as commit conventions, changelog formats, and registry targets.

  6. Security

    • Implement fine-grained access control for the publishing workflow:
      • Restrict publishing operations to authorized developers or users.
      • Integrate with authentication mechanisms (e.g., OAuth, GitHub tokens, or LDAP) to enforce permissions.
      • Use role-based access control (RBAC) to define permissions for build and publish operations.
      • Ensure that only approved pipelines or CI/CD workflows can publish to specific registries.
      • Prevent unauthorized developers from publishing packages with sensitive or critical tags (e.g., latest).

  7. Auditability

    • Maintain logs of all versioning and publishing activities, including changes to package.json files, to ensure transparency and traceability.

  8. Ease of Use

    • Provide clear and concise documentation and intuitive commands to simplify adoption for development teams.

  9. Compatibility

    • Ensure compatibility with popular JavaScript tools and environments (e.g., Node.js, npm, Yarn, pnpm) and support common monorepo setups.

  10. Error Handling

    • Implement robust error detection and handling mechanisms with informative messages to assist developers in troubleshooting issues during the workflow.

  11. Cross-Platform Support

    • Ensure the workflow operates consistently across different operating systems (e.g., Windows, macOS, Linux).

  12. Provenance Assurance

    • Ensure cryptographic mechanisms and metadata are in place to document, verify, and protect the integrity of every step in the process, providing confidence to both developers and end users.