A simple system for linking Socket projects during local development:
- Local development: Uses filesystem links to sibling projects
- CI/production: Uses published npm packages
The key: .pnpmfile.cjs files are generated locally and gitignored, so they never affect CI/production.
# Enable local linking (clones dependencies if needed)
node scripts/setup-links.mjs
# Use GitHub main branches
node scripts/setup-links.mjs main --all
# Reset to published packages
node scripts/setup-links.mjs published --allThis generates .pnpmfile.cjs files that redirect dependencies:
local→link:../socket-registry/registrymain→github:SocketDev/socket-registry#mainpublished→ removes .pnpmfile.cjs (uses package.json)
Nothing special needed!
Since .pnpmfile.cjs is gitignored:
- CI never sees these files
pnpm installuses normal package.json dependencies- Always gets stable, published packages from npm
| Project | Can Link To |
|---|---|
| socket-cli | @socketsecurity/registry, @socketsecurity/sdk |
| socket-sdk-js | @socketsecurity/registry |
| socket-packageurl-js | @socketsecurity/registry |
cd socket-cli
# Setup local linking (auto-clones dependencies if needed)
node scripts/setup-links.mjs
# This creates .pnpmfile.cjs (gitignored) and runs pnpm install-
Edit dependency code:
cd ../socket-registry/registry # Make changes pnpm build
-
Changes are immediately available in linked projects (no publish needed)
# Test with local code
node scripts/setup-links.mjs local
pnpm test
# Test with GitHub main branch
node scripts/setup-links.mjs main
pnpm test
# Test with published packages (like CI)
node scripts/setup-links.mjs published
pnpm test✅ Committed to repo:
scripts/setup-links.mjs- The setup toolpackage.json- Normal dependencies (unchanged)
❌ NOT committed (gitignored):
.pnpmfile.cjs- Local overrides.env.local- Local environment
# In GitHub Actions
jobs:
test:
steps:
- uses: actions/checkout@v5
- run: pnpm install # Uses package.json normally
# .pnpmfile.cjs doesn't exist, so no overrides appliedResult: CI always uses stable, published packages
node scripts/setup-links.mjs --all# In socket-cli, link to local registry
node scripts/setup-links.mjs local
# Make changes in registry
cd ../socket-registry/registry
vim src/lib/logger.ts
pnpm build
# Changes immediately available in socket-cli
cd ../../socket-cli
pnpm test # Uses your local changes# socket-cli can link both registry and SDK
node scripts/setup-links.mjs local socket-cli
# This creates overrides for both:
# @socketsecurity/registry → ../socket-registry/registry
# @socketsecurity/sdk → ../socket-sdk-js# Remove all overrides
node scripts/setup-links.mjs published --all
# Now uses npm packages like production- Clean Repository: No linking configuration in the repo
- CI Simplicity: CI just runs
pnpm installnormally - Developer Flexibility: Easy switching between local/main/published
- Auto-Setup: Clones missing dependencies automatically
- No Accidents: Can't accidentally commit local paths
- Ensure dependency is built:
cd ../socket-registry/registry && pnpm build - Check .pnpmfile.cjs exists:
ls -la .pnpmfile.cjs - Re-run setup:
node scripts/setup-links.mjs local
- CI should never see .pnpmfile.cjs (it's gitignored)
- If CI fails, ensure .pnpmfile.cjs is in .gitignore
- CI always uses published packages (no setup needed)
- Script auto-clones from GitHub if not found locally
- Or manually clone:
git clone https://github.com/SocketDev/socket-registry.git ../socket-registry
Development linking is a local-only concern. The repository stays clean, and CI/production always uses stable, published packages. The .pnpmfile.cjs mechanism is invisible to anyone not actively developing locally.