But the disadvantage of YARN plugins is that there's currently no commands to install them to your project, so you need to fetch the file for the YARN plugin yourself, and then you need to keep it up to date yourself. And there are no simple hooks you can use. You always need to declare a YARN plugin, which is more work than the pmpm hooks. So basically, pmpm hooks are loaded from a pmpm file.js. And there are two different kinds of hooks. Advanced hooks and simple hooks. With advanced hooks, you can create custom fetchers, importers, resolvers, so you can basically change what gets installed from where. An example of something that uses advanced hooks is StackBlitz. StackBlitz runs pmpm in a web container, and they created these custom fetchers and importers to make pmpm really fast inside the web container. And simple hooks can change the package manifest during installation and change settings.
So I'll be now quick, because time is... There's not much time left. So one of the hooks is the update.config hook, the simple hook. And this hook allows to change the configuration object of pmpm during runtime. So for instance, in this example, you can see that we set an override for Socks, because Socks has a vulnerability in all the versions than 2.8. This way, you can fix vulnerabilities and share these fixes across your organization. Just install this config dependency. You can change the default settings of pmpm to be more strict, for instance, because the default settings allow you a lot. They are good for people that just start using pmpm. But if you want to be more strict, you can have your own policies, create a config dependency and share it across. We maintain a config dependency called better defaults, which we can use, and it will make pmpm more strict, and it's better for advanced users. Also, any breaking changes to pmpm might come first to this config dependency. You can also share version catalogs with this hook. I hope you heard about version catalogs, but if not, check it out. Another simple hook is the read package hook, which allows you to modify the package's manifest during installation. So if some package is missing a dependency, for instance, you can extend the dependency subject here, and it will be installed. In this case, pmpm-to-agent is missing a debug from its dependencies, and we can basically check if it's there, and if it's not, we edit. Another use case is creating allow lists or block lists of packages. Maybe your organization has a process of allowing new packages. You can use this hook to check the package which gets installed and throw an error if you don't want it.
Comments