今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#monorepo

找到 4 篇相关文章

AI 资讯

Monorepo vs polyrepo

How you split your code into repositories seems like a plumbing decision, but it quietly shapes how your team collaborates, ships, and reasons about the system. A monorepo keeps everything in one repository; a polyrepo gives each service or app its own. Neither is universally right, and the loudest opinions online usually ignore your actual stage and team size. Here's how to think about it clearly. What a monorepo buys you A monorepo puts your web app, mobile app, backend, and shared libraries under one roof. The advantages are real, especially for smaller teams: Atomic changes. Update a shared type and every consumer in the same pull request. No cross-repo coordination dance. One source of truth for tooling. A single lint, format, and CI config instead of drift across a dozen repos. Effortless code sharing. Shared TypeScript packages are just imports, not published versions you have to bump and reinstall everywhere. Easy refactoring. You can find and fix every caller of a function because it's all in front of you. Tools like Turborepo and Nx make this practical by caching builds and only running work for the parts that actually changed. What a monorepo costs The trade-offs show up as you grow. Build and CI times can balloon without smart caching. Access control is coarser — it's harder to give a contractor one service without the whole codebase. And a naive setup rebuilds and tests everything on every change, which gets slow fast. Good tooling mitigates all of this, but you have to invest in it deliberately. What a polyrepo buys you Separate repositories give each service hard boundaries . A team owns its repo end to end, deploys on its own schedule, and can't accidentally reach into another team's internals. Access control is naturally granular, CI for each repo is small and fast, and the blast radius of a bad change is contained. The cost is coordination. A change that spans services becomes multiple pull requests across multiple repos that must land in the right

2026-07-09 原文 →
AI 资讯

Stop Copying shadcn Components Across Projects — Use This Turborepo Starter Instead

You know the drill. You build a beautiful set of shadcn/ui components for Project A — a Button, a Card, a Dialog with custom animations. Then Project B kicks off. You copy the files over. Then Project C. Then a subtle bug is found in the Button. Now you're patching it in three places. This is the classic monorepo problem, and it's exactly what I set out to fix. What I Built turborepo-react-shadcn-starter is a production-ready monorepo template that wires up: Turborepo for workspace orchestration and intelligent build caching React + Vite for the fastest possible frontend dev experience shadcn/ui as a shared package — write once, use everywhere TypeScript across the entire workspace ESLint with shared config baked in The key insight: shadcn/ui lives in @repo/ui , a shared package, not inside any single app. Every app in your monorepo consumes the same components from the same source of truth. The Problem with Typical Setups Most teams drop shadcn/ui directly into a single app. That works fine until you need a second app. Then your choices are: Copy-paste the components → drift and duplication immediately Publish to npm → versioning overhead for internal code Monorepo with a shared package → ✅ This is the right answer Turborepo makes option 3 near-effortless, but setting it up from scratch (workspace configs, TypeScript path aliases, ESLint sharing, shadcn CLI pointing at the right package) takes a few hours of trial and error. This starter eliminates all of that. What's Inside turborepo-react-shadcn-starter/ ├── apps/ │ └── web/ # Vite + React app ├── packages/ │ ├── ui/ # @repo/ui — shared shadcn/ui components │ ├── eslint-config/ # @repo/eslint-config │ └── typescript-config/ # @repo/typescript-config ├── turbo.json └── package.json apps/web — The Main App A clean Vite + React app already wired to consume components from @repo/ui . No boilerplate to delete, no config to untangle. packages/ui — The Shared Component Library This is where all your shadcn/ui components

2026-06-28 原文 →
AI 资讯

Monorepo Dependency Security — Vulnerability Scanning Across Packages

A monorepo can look like one repository, but security teams should treat it as many applications living under one roof. One repo may contain 10 frontend packages, 5 backend services, 3 shared utility libraries, 2 mobile apps, and one root lockfile that does not tell the full story by itself. Monorepo dependency security means scanning the root dependency graph, every workspace package, shared libraries, lockfiles, and generated SBOMs. If you scan only one file, you may miss the vulnerable package that ships in production. Why Monorepos Create Unique Vulnerability Challenges Monorepos centralize multiple packages, apps, services, and libraries inside one repository. This improves code sharing, dependency alignment, refactoring, CI caching, and cross-team collaboration. It also creates a security problem: one repository can contain many different dependency trees, owners, deployment targets, and risk profiles. A typical JavaScript or TypeScript monorepo may include apps/web , apps/admin , apps/api , packages/ui , packages/auth , packages/logger , and packages/config . Each package may have its own package.json . Some packages are deployed to production. Some are internal libraries. Some are build-only tools. Some are used by every app. A vulnerability in one package can affect one app, many apps, or the whole repo depending on how dependency relationships are structured. The biggest issue is shared code. If packages/auth depends on a vulnerable version of jsonwebtoken , every application that imports packages/auth may be affected. If packages/ui uses a vulnerable utility such as lodash , every frontend app that consumes that UI package may inherit the same risk. If a build tool dependency is compromised, the risk may appear during CI/CD rather than runtime. Real CVEs show why this matters. CVE-2021-23337 affected lodash through command injection in template handling. CVE-2022-31129 affected moment through inefficient parsing that could cause denial of service. CVE-202

2026-06-25 原文 →
AI 资讯

Monorepo vs polyrepo: the debate is measuring the wrong thing

The monorepo vs polyrepo argument is old enough that Buildkite was comparing it to the Vim and Emacs wars back in 2024. It should have been settled, or at least gone quiet. Instead, in the space of six months, an AI coding vendor re-litigated it for the agent era, a benchmark firm published PR cycle-time data across hundreds of organisations, and half the platform engineering threads I read found their way back to it. Something pulled the question out of retirement. I think the something is worth naming, because it is not really about repositories at all. I maintain a product whose entire reason to exist is that most organisations run polyrepos, so I want to be upfront about where I sit before arguing anything. Riftmap parses cross-repo dependencies. If everyone migrated to a monorepo tomorrow, a good part of my roadmap would evaporate. Read what follows with that in mind, and check the sources, all of which are linked. With that declared: I think both camps in this debate are arguing about a proxy. The real variable underneath, the one that decides whether your team ships confidently or plays dependency archaeology at 2am, is something the standard pros-and-cons lists never name. This post walks the honest trade-offs first, because they are real and you deserve a straight answer to the question you searched for. Then it gets to the variable. What each side buys you A monorepo is one repository holding many projects. A polyrepo (or multi-repo) setup gives each project, service, or module its own repository. Both are proven at every scale that matters: Google and Meta run famous monorepos, Amazon and Netflix run famous polyrepos, and none of them are wrong. The monorepo's case The strongest monorepo argument has always been atomic cross-project change. Uber's iOS team moved to a monorepo largely for this: when an API contract and all of its clients live in one repo, a breaking change is one commit, one review, one revert path. No choreographed pull requests across si

2026-06-07 原文 →