Sherif

Opinionated, zero-config linter for JavaScript monorepos

LinterRustMonorepo
QuiiBz/sherifsherif

README


Cover

About


Sherif is an opinionated, zero-config linter for JavaScript monorepos. It runs fast in any monorepo and enforces rules to provide a better, standardized DX.

Features


- ✨ PNPM, NPM, Yarn...: sherif works with all package managers
- 🔎 Zero-config: it just works and prevents regressions
- ⚡ Fast: doesn't need node_modules installed, written in 🦀 Rust

Installation


Run sherif in the root of your monorepo to list the found issues. Any error will cause Sherif to exit with a code 1:

  1. ```bash
  2. # PNPM
  3. pnpm dlx sherif@latest
  4. # NPM
  5. npx sherif@latest
  6. ```

We recommend running Sherif in your CI once all errors are fixed. Run it by specifying a version instead of latest. This is useful to prevent regressions (e.g. when adding a library to a package but forgetting to update the version in other packages of the monorepo).


GitHub Actions example

  1. ```yaml
  2. name: Sherif
  3. on:
  4.   pull_request:
  5. jobs:
  6.   check:
  7.     name: Run Sherif
  8.     runs-on: ubuntu-22.04
  9.     steps:
  10.       - name: Checkout
  11.         uses: actions/checkout@v4
  12.       - uses: actions/setup-node@v3
  13.         with:
  14.           node-version: 20
  15.       - run: npx sherif@0.4.2
  16. ```


Rules


You can ignore a specific rule by using `--ignore-rule ` (or `-r `):

  1. ```bash
  2. # Ignore both rules
  3. sherif -r packages-without-package-json -r root-package-manager-field
  4. ```

You can ignore all issues in a package by using `--ignore-package ` (or `-p `):

  1. ```bash
  2. # Ignore all issues in the package
  3. sherif -p @repo/tools
  4. ```

Note

Sherif doesn't have many rules for now, but will likely have more in the future (along with more features).


empty-dependencies


package.json files should not have empty dependencies fields.

multiple-dependency-versions


A given dependency should use the same version across the monorepo.

You can ignore this rule for a dependency if you expect to have multiple versions by using `--ignore-dependency ` (or `-i `):

  1. ```bash
  2. # Ignore dependencies that are expected to have multiple versions
  3. sherif -i react -i @types/node
  4. ```

non-existant-packages ⚠️


All paths defined in the workspace (the root package.json' workspaces field or pnpm-workspace.yaml) should match at least one package.

packages-without-package-json ⚠️


All packages matching the workspace (the root package.json' workspaces field or pnpm-workspace.yaml) should have a package.json file.

root-package-dependencies ⚠️


The root package.json is private, so making a distinction between dependencies and devDependencies is useless - only use devDependencies.

root-package-manager-field


The root package.json should specify the package manager and version to use. Useful for tools like corepack.

root-package-private-field


The root package.json should be private to prevent accidentaly publishing it to a registry.

types-in-dependencies


Private packages shouldn't have @types/* in dependencies, since they don't need it at runtime. Move them to devDependencies.

Credits


- dedubcheck that given me the idea for Sherif
- Manypkg for some of their rules
- This article for the Rust releases on NPM

Sponsors


Sponsors