-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Yarn 1.x: Detect when yarn.lock has been changed #655
Comments
closes containerbuildsystem#655 The integration test covers a scenario when running `yarn install ...` command will fail becuase of new dependencies that were added, so `yarn.lock` would have to updated. Signed-off-by: Michal Šoltis <[email protected]>
closes containerbuildsystem#655 The integration test covers a scenario when running `yarn install ...` command will fail becuase of new dependencies that were added to package.json and yarn.lock would have to updated to reflect these changes. Signed-off-by: Michal Šoltis <[email protected]>
So, if Yarn only complains if deps need to be added to the lockfile, why do we care about redundant deps if Yarn is okay with them? And if Yarn is okay with them, the user is likely okay with those as well, so we shouldn't present too many obstacles in front of the user if the native tooling isn't posing them either. Looking at it from the other side - does NOT using
@taylormadore have I missed anything? |
The risk here is that we report the removed dependencies from yarn.lock in the SBOM and yet yarn does not download them to the cache
Not using |
I wouldn't worry too much about the SBOM, it would match the checked-in lockfile after all (well, based on a buggy CLI behaviour of Yarn that we'd rely on), but yes, we strive for a perfect SBOM, so we could technically do better.
Will this cause hermetic builds to fail? IOW if a frozen lockfile doesn't report a problem and since the online |
@taylormadore thoughts ^^? The discussion in this issue kinda blocks resolution and review off #683 |
I gave it a quick test and it doesn't appear to My feelings on this are that it isn't on the critical path, so this issue definitely doesn't need to be done now, but I'm not sure I'd just close it either. This might be something we want to do later, since it doesn't seem particularly complicated to resolve. This is of course Just my opinion and I won't stand in the way if others feel differently 🙂 |
Understood. Do we want to keep issues around open? I mean at the very least we should try to resolve the issues, so if it's not pressing, we should close it for now until there's an actual use case that would need the functionality. It's not like we'll lose track of it, it can still be re-opened at any time. The problem with too many issues open makes prioritizing and triaging harder IMO. |
closes containerbuildsystem#655 The integration test covers a scenario when running `yarn install ...` command will fail becuase of new dependencies that were added to package.json and yarn.lock would have to updated to reflect these changes. Signed-off-by: Michal Šoltis <[email protected]>
closes containerbuildsystem#655 The integration test covers a scenario when running `yarn install ...` command will fail becuase of new dependencies that were added to package.json and yarn.lock would have to updated to reflect these changes. Signed-off-by: Michal Šoltis <[email protected]>
Closing it is fine with me |
The
yarn install
command has the--frozen-lockfile
flag that is supposed to fail if an update is needed to yarn.lock. Apparently needed here means if something needs to be added to the lockfile, but not if something needs to be removed. In the case of something that should be removed, Yarn will not complain and will also not update the lockfile.We need a way to detect if yarn.lock is or would be updated by the
yarn install
command and fail the request.Acceptance criteria:
The text was updated successfully, but these errors were encountered: