[rush-lib] prevent workspace dependencies in decoupledLocalDependencies

[jamesmaher-dd]

Summary

Adds a check in install step to prevent a host project depending on a workspace: package version if the package is also listed in decoupledLocalDependencies.

Currently unaware of any use case that this would be intended. We came across this issue when migrating a dependency from an external feed (e.g. "@<namespace>/packageA": "1.2.3") to a workspace dependency, and didn't remove the package from decoupledLocalDependencies.

Details

We came across an issue which allows a host package to depend on a package with workspace: notation while also listing that package in its decoupledLocalDependencies. Because this is currently not checked, this can result in a missing dependency in CI runs because the package@workspace: is not guaranteed to be built prior to the package that depends on it, so here we're adding a check for it.

Replication steps

This is a very quick example to demonstrate how this situation occurs:

# hostProject1 package.json
"dependencies": {
  "@<namespace>/packageA": "workspace:*",
}

# rush.json
"projects": [
  {
    "packageName": "@<namespace>/hostProject1",
    "projectFolder": "apps/hostProject1",
    "decoupledLocalDependencies": ["@<namespace>/packageA"],
  },

How it was tested

Tested with local rush against our repo by replicating with the steps above and running rush update or rush install, and no warning logged or error being thrown.

Adding this changeset against our repo with the same replication results in the error added in this PR being thrown, preventing the erroneous state.

[aramissennyeydd]

Nice!

[jamesmaher-dd]

@microsoft-github-policy-service agree company="doordash"

[jamesmaher-dd]

hey @iclanton 👋🏻, how do we feel about merging this?