Skip to content

feat: convert to npm workspaces monorepo with per-package publishing#368

Draft
alexluckett wants to merge 34 commits into
mainfrom
maplibre-peer-dependency
Draft

feat: convert to npm workspaces monorepo with per-package publishing#368
alexluckett wants to merge 34 commits into
mainfrom
maplibre-peer-dependency

Conversation

@alexluckett

@alexluckett alexluckett commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

The problem

@defra/interactive-map currently ships as a single npm package where map provider dependencies (maplibre-gl, @arcgis/core, ol, etc.) are declared as optional peer dependencies at the package root.

A single package.json cannot declare different peer dependencies for different sub-path exports. A consumer installs interactive-map but npm has no knowledge of whether they're using the MapLibre or ESRI provider — npm's checks run at a different level. The result: any consuming service can silently drop a required map provider and npm won't flag the breakage. In the case of forms-engine-plugin, maplibre-gl was almost accidentally dropped with no build-time error — the build would have succeeded and failed only at runtime, potentially in production.

The only way to make maplibre-gl a required peer dependency of the MapLibre provider — without also forcing ESRI consumers to install it — is to give each provider and plugin its own published package.

Solution

Converts the repository to an npm workspaces monorepo. Each provider and plugin becomes its own scoped npm package with required peer dependencies based only on what that package actually needs. The existing file hierarchy, CI pipeline, and build system remain architecturally consistent — publishing gains a loop to publish each package individually.

New package naming convention:

@defra/interactive-map                       # core
@defra/interactive-map-provider-maplibre     # provider: maplibre
@defra/interactive-map-plugin-draw-ml        # plugin: draw-ml
@defra/interactive-map-plugin-search         # plugin: search

Benefits:

  • Install-time enforcement of required dependencies via native npm tooling
  • Consumers install only what they use — core can get smaller over time
  • Clearer naming: the package name tells you whether something is a provider or plugin
  • Future flexibility: mature plugins/providers can be spun off into their own repo with independent version numbers

What changed

  • Each provider and plugin gains its own package.json with scoped name and required peer deps (plus preact/@babel/runtime dependencies where the built output externalises them)
  • The beta/ directory is dropped — beta status is now signalled via publishConfig.tag: "beta" per package rather than file hierarchy
  • scripts/publish-package.sh extended to stamp lockstep versions into all workspace packages and publish each one
  • Rollup and webpack build paths updated for the flattened directory structure
  • Datasets maplibre adapter added as a separate rollup entry, enabling the ./adapters/maplibre sub-path export
  • Four direct node_modules/ import paths in draw-ml replaced with public MapboxDraw API equivalents
  • Fixed a bug in the publish script where npm publish --prefix was silently publishing the root package instead of each workspace package
  • Docs, examples and demos migrated to the new package names

Release tooling (new)

Publishing runs on npm OIDC trusted publishing (no long-lived npm token in CI). npm's hard constraint: a trusted publisher can only be configured on a package that already exists on the registry — so the OIDC-only pipeline cannot publish a brand-new package's first version. Every package therefore needs a one-time bootstrap; on this branch that is all 14 new workspace packages.

  • scripts/seed-packages.sh + .github/workflows/seed-packages.yml — manual (workflow_dispatch) bootstrap that bare-publishes only not-yet-existing packages under a dedicated seed dist-tag, using a temporary NPM_TOKEN secret (add → run → delete + revoke). Idempotent; supports dry-run. Only distrusts npm's explicit E404 as "does not exist" — transient registry errors abort rather than risk publishing over a live package.
  • Pre-flight gate in scripts/publish-package.sh — before anything is stamped or published, asserts per package: registered on npm, target version free, and packable (npm publish --dry-run). Reports every failure at once and aborts cleanly, converting a mid-loop partial release into a pre-publish no-op. Dry runs mutate nothing.
  • RELEASING.md — full runbook: bootstrap procedure, release steps, dist-tag matrix, pre-flight failure table, troubleshooting.
  • First-time order matters: merge → seed → configure trusted publishing per package → release. The workflow only appears in the Actions tab once merged to main.

Dist-tag behaviour: on a standard release, core + provider-maplibre + plugin-interact + plugin-search go to latest; the other 11 packages go to beta. Any pre-release goes to alpha for all 15.

Consumer migration (breaking)

Two things change for consumers:

  1. Providers and plugins must now be installed as separate packages — they are no longer sub-paths of the core package:
Before (sub-path import) After (install + import)
@defra/interactive-map/providers/maplibre @defra/interactive-map-provider-maplibre
@defra/interactive-map/plugins/interact @defra/interactive-map-plugin-interact
@defra/interactive-map/plugins/search @defra/interactive-map-plugin-search
@defra/interactive-map/plugins/datasets/adapters/maplibre @defra/interactive-map-plugin-datasets/adapters/maplibre
(and so on for each plugin/provider)
  1. Beta packages have no latest dist-tag — the 11 beta-status packages publish only under beta, so a plain npm install @defra/interactive-map-plugin-datasets fails; install them as @beta (or a pinned version). The four stable packages install normally.

maplibre-gl is already externalised by rollup for ESM builds, making it
functionally a peer dependency. This aligns package.json with the build
behaviour and the existing docs guidance, consistent with how @arcgis/core
and ol are declared.

Also removes a try/catch in the ESRI provider that was swallowing the
native module-not-found error with a less informative message.
Move beta providers (esri, openlayers, open-names) and beta plugins (scale-bar, datasets, draw-ml, draw-es, draw-ol, frame, map-styles, use-location) to their canonical locations at the root of providers/ and plugins/ directories. This aligns with the new npm workspaces monorepo structure where publishConfig.tag will indicate beta status rather than directory convention.
Add package.json files for maplibre (stable), esri, openlayers, and open-names (beta) providers. Each declares @defra/interactive-map and required engine peer dependencies, with files field limiting published output to dist/ only.
- Remove ./css export from interact plugin (no SCSS source files)
- Add missing ./css export to draw-ol plugin (has SCSS source files)
- Add rollup entry for datasets maplibre adapter sub-path export
- Add adapter index.js re-exporting maplibreLayerAdapter as named export
- Fix publish script: replace npm publish --prefix with npm publish ./
  (--prefix targets the npm prefix dir, not the package dir; bare paths
  are treated as git URLs — ./ prefix is required for local directories)
@alexluckett alexluckett marked this pull request as draft June 18, 2026 08:57
# Conflicts:
#	plugins/datasets/src/adapters/maplibre/registry/mapLibreDataset.js
Main-side commits added logger imports at the old beta/ directory depth.
The merge auto-applied them verbatim onto the flattened paths, leaving
one too many '../' levels. Build (rollup) caught these; jest masked them
via mocks.
New workspace packages (providers/*, plugins/*) can't be published by the
OIDC-only publish pipeline on first run — npm trusted publishing requires the
package to already exist. Add a one-time seed path plus a pre-flight gate and
runbook so releases are safe and repeatable:

- seed-packages.sh + seed-packages.yml: workflow_dispatch bootstrap that
  bare-publishes not-yet-existing packages under a `seed` dist-tag, authed via
  a temporary NPM_TOKEN secret (idempotent, dry-run supported).
- publish-package.sh: pre-flight gate that asserts every package can publish
  the target version before anything is stamped/published, aborting with
  nothing published instead of dying mid-loop.
- RELEASING.md: bootstrap + release runbook, pre-flight fixes, dist-tags,
  troubleshooting.
… E404 conflation, dry-run mutation

- preflight: npm publish "$pkg_dir" parsed bare workspace paths as GitHub
  owner/repo shorthands (git ls-remote ssh://git@github.com/providers/maplibre.git),
  failing check #3 for all 14 workspaces on every release — add ./ prefix
- get_published_version: use <major>.x range (^0.0.0 matches nothing for the
  entire 0.x line), normalise npm's bare-string single-match output (jq .[-1]
  errored → gate silently disabled), semver-sort instead of trusting publish
  order, and drop npm's --json error objects
- validate_version_bump: require positive proof new > published; the inverted
  <= check treated semver tool failure or a malformed version as a pass;
  --include-prerelease so prerelease tags still satisfy >
- VERSION_PATTERN: escape dots (v1.2,3 previously matched)
- preflight #1 and seed existence check: distinguish E404 from transient
  registry errors — seed aborts instead of bare-publishing over a live package
- dry run no longer runs stamp_versions (previously mutated all 15 manifests)
DemoMapDrawTools/StyleSwitcher/Polygons/Symbols dynamically import the old
plugins/beta/* layout — these components are mounted by docs/examples/*.mdx,
so the docusaurus build (and Pages deploy) broke on the missing modules.
demo/umd.html likewise 404'd the datasets plugin script/css.
The build never produces plugins/draw-ml/dist/css — the only SCSS import
(src/index.js:2, './draw.scss') was commented out on main in #344 — so the
advertised './css' subpath could never resolve for consumers. Removed to match
shipped reality; if the styles are meant to ship (draw-ol's equivalent does),
re-enabling the import should be its own change.
Rollup externalizes preact/* and @babel/runtime/* — the published ESM contains
bare imports of both, but the new packages declared only the core peer. Works
on npm via hoisting from the core package's own deps; breaks on pnpm strict
node_modules and Yarn PnP with ERR_MODULE_NOT_FOUND.

Plugins get preact + @babel/runtime; providers only @babel/runtime (no JSX in
their externalized output). Ranges match the root package so resolvers dedupe
to a single preact instance (shared hooks/context).
- 7 example .mdx files still imported deleted root subpaths
  (@defra/interactive-map/providers/*, /plugins/*)
- getting-started.md installed only the core package while its own usage
  section imports the maplibre provider package; provider sections now
  install the provider packages (esri via @beta — no latest dist-tag)
- datasets.md still pointed at plugins/beta/ asset paths
# Conflicts:
#	plugins/draw-ml/src/modes/createDrawMode.js
#	plugins/draw-ml/src/modes/editVertexMode.js
…rst)

The public-MapboxDraw-API migration left const destructuring of
MapboxDraw.lib/.modes between import statements in four mode files —
standard's import/first rule fails CI on it (the PR's first CI run in
weeks: the branch was conflicting with main, so pull_request workflows
were silently skipped and never caught it).
sonar.exclusions still referenced plugins/beta/** and providers/beta/**,
which no longer exist after the flatten — so all 11 beta-status packages
entered Sonar analysis for the first time and their entire contents were
attributed to this PR as new code (193 violations, 0% new coverage; a
line-level blame check confirmed 0 of 193 flagged lines are authored by
this branch).

Enumerate the same 11 package dirs jest already ignores for coverage,
restoring exact parity with what Sonar analyzed on main. Documented the
three-place graduation checklist in RELEASING.md.

@markfee markfee left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good - I like the changes.

@sonarqubecloud

sonarqubecloud Bot commented Jul 8, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants