fix(dep-graph): allow mix of internal and external deps with same name

[thebanjomatic]

This is my first time coding with golang, so please let me know if there is anything non-idiomatic or where things can be written better.

When turbo currently tries to build the dependency graph, it doesn't consider the specified
version/range of the dependency, it just assumes that if that package name exists in the
workspace it must be an internal dependency. Because of this, cycles are detected and
the process hangs.

This PR adds some additional logic to ensure that dependencies are only considered
internal if the local/workspace package's version matches the semver range specified for
the dependency.

Fixes: #796

[vercel]

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/vercel/turbo-site/CoqtuFcwmnRsm8ngoyTKxGdF8Axr
✅ Preview: https://turbo-site-git-fork-thebanjomatic-fix-graphcheck-version.vercel.sh

[Deployment for 6daf7f5 failed]

[gsoltis]

Two general comments:

• The first change I think makes sense, with the caveat that we should not error out if we fail to parse a version, as I think that would be a regression
• I think I'm on board with the second commit in principle, but I think it ought to be a separate PR. In the event that it needs to be reverted, it would be better if it were independent.

[thebanjomatic]

The first change I think makes sense, with the caveat that we should not error out if we fail to parse a version, as I think that would be a regression

To confirm, if we fail to parse either the semver range or the package.json version, we should fallback to an internal package reference in that case to keep existing behavior?

I'll work on splitting the other commit out to its own PR. Its a little annoying because it touches the same code, but I can just target them both at main for now and then deal with the merge conflict whenever one or the other gets merged.

[gsoltis]

To confirm, if we fail to parse either the semver range or the package.json version, we should fallback to an internal package reference in that case to keep existing behavior?

Correct.

[thebanjomatic]

I rolled the code that looks up from the c.PackageInfos map into the isInternal check since logically that is what it means for the package to not be found in the map. But I suppose this could also be:

if item, ok := c.PackageInfos[dependencyName]; ok && IsReferenceToLocalPackage(item, version) {

[gsoltis]

It's not the biggest deal, but I think I like your proposed alternative better. That would allow isReferenceToLocalPackage to be a more focused function.

[gsoltis]

This is coming along. As a general Go note: to mark a function or method as package-private, start the name with a lowercase letter. For example, isReferenceToLocalPackage. Test code is typically colocated in the same package as the code under test, so this doesn't impact the ability to right tests.

And on that topic, I think it would be helpful to have a few examples of internal and external references in a test of isReferenceToLocalPackage to illustrate how the feature is intended to work.

[gsoltis]

This comment implies that npm: is an external reference, however the implementation will return false if protocol == "npm".

[gsoltis]

It's not the biggest deal, but I think I like your proposed alternative better. That would allow isReferenceToLocalPackage to be a more focused function.

[thebanjomatic]

@gsoltis thanks for the review and golang tips. I have refactored things so that IsReferenceToLocalPackage => isWorkspaceReference(packageVersion string, dependencyVersion).

Having it just take two strings as input does make it a lot easier to test. I think it should have good coverage of the branches.

[gsoltis]

Awesome!