Renovate doesn't update yarn.lock anymore with --install.frozen-lockfile true in .yarnrc

[afdev82]

How are you running Renovate?

Self-hosted

Please select which platform you are using if self-hosting.

GitLab self-hosted

If you're self-hosting Renovate, tell us what version of Renovate you run.

v26.3.0

Describe the bug

Renovate doesn't update the yarn.lock file anymore if the option --install.frozen-lockfile true is present in the .yarnrc file.

I think I already found the reason for that, in this commit.

I created a minimal reproduction repository, but currently is not failing because it's still using the v25.76.2.

Many thanks for your support.

Relevant debug logs

Logs

DEBUG: Getting updated lock files (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: Writing package.json files (repository=ad-notam/website, branch=renovate/webpack-packages)
       "packageFiles": ["package.json"]
DEBUG: Writing any updated package files (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: Writing package.json (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: No npmrc file found in repository (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: Writing updated .npmrc file to /tmp/renovate/repos/gitlab/ad-notam/website/.npmrc (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: Generating yarn.lock for . (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: Spawning yarn install to create /tmp/renovate/repos/gitlab/ad-notam/website/yarn.lock (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: Updating yarn.lock only - skipping node_modules (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: No node constraint found - using latest (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: Using docker to execute (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: No tag or tagConstraint specified (repository=ad-notam/website, branch=renovate/webpack-packages)
       "image": "docker.io/renovate/node"
DEBUG: Fetching Docker image: docker.io/renovate/node (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: Finished fetching Docker image (repository=ad-notam/website, branch=renovate/webpack-packages)
DEBUG: Executing command (repository=ad-notam/website, branch=renovate/webpack-packages)
       "command": [
         "docker run --rm --name=renovate_node --label=renovate_child -v \"/tmp/renovate/repos/gitlab/ad-notam/website\":\"/tmp/renovate/repos/gitlab/ad-notam/website\" -v \"/tmp/renovate/cache\":\"/tmp/renovate/cache\" -e NPM_CONFIG_CACHE -e npm_config_store -e CI -e YARN_CACHE_FOLDER -w \"/tmp/renovate/repos/gitlab/ad-notam/website\" docker.io/renovate/node bash -l -c \"npm i -g yarn && sed -i 's/ steps,/ steps.slice(0,1),/' /home/ubuntu/.npm-global/lib/node_modules/yarn/lib/cli.js && yarn install --ignore-engines --ignore-platform --network-timeout 100000 --ignore-scripts\""
       ]
DEBUG: rawExec err (repository=ad-notam/website, branch=renovate/webpack-packages)
       "err": {
         "killed": false,
         "code": 1,
         "signal": null,
         "cmd": "docker run --rm --name=renovate_node --label=renovate_child -v \"/tmp/renovate/repos/gitlab/ad-notam/website\":\"/tmp/renovate/repos/gitlab/ad-notam/website\" -v \"/tmp/renovate/cache\":\"/tmp/renovate/cache\" -e NPM_CONFIG_CACHE -e npm_config_store -e CI -e YARN_CACHE_FOLDER -w \"/tmp/renovate/repos/gitlab/ad-notam/website\" docker.io/renovate/node bash -l -c \"npm i -g yarn && sed -i 's/ steps,/ steps.slice(0,1),/' /home/ubuntu/.npm-global/lib/node_modules/yarn/lib/cli.js && yarn install --ignore-engines --ignore-platform --network-timeout 100000 --ignore-scripts\"",
         "stdout": "\n> [email protected] preinstall /home/ubuntu/.npm-global/lib/node_modules/yarn\n> :; (node ./preinstall.js > /dev/null 2>&1 || true)\n\n/home/ubuntu/.npm-global/bin/yarn -> /home/ubuntu/.npm-global/lib/node_modules/yarn/bin/yarn.js\n/home/ubuntu/.npm-global/bin/yarnpkg -> /home/ubuntu/.npm-global/lib/node_modules/yarn/bin/yarn.js\n+ [email protected]\nadded 1 package in 1.013s\nyarn install v1.22.11\n[1/4] Resolving packages...\ninfo Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.\n",
         "stderr": "error Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.\n",
         "message": "Command failed: docker run --rm --name=renovate_node --label=renovate_child -v \"/tmp/renovate/repos/gitlab/ad-notam/website\":\"/tmp/renovate/repos/gitlab/ad-notam/website\" -v \"/tmp/renovate/cache\":\"/tmp/renovate/cache\" -e NPM_CONFIG_CACHE -e npm_config_store -e CI -e YARN_CACHE_FOLDER -w \"/tmp/renovate/repos/gitlab/ad-notam/website\" docker.io/renovate/node bash -l -c \"npm i -g yarn && sed -i 's/ steps,/ steps.slice(0,1),/' /home/ubuntu/.npm-global/lib/node_modules/yarn/lib/cli.js && yarn install --ignore-engines --ignore-platform --network-timeout 100000 --ignore-scripts\"\nerror Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.\n",
         "stack": "Error: Command failed: docker run --rm --name=renovate_node --label=renovate_child -v \"/tmp/renovate/repos/gitlab/ad-notam/website\":\"/tmp/renovate/repos/gitlab/ad-notam/website\" -v \"/tmp/renovate/cache\":\"/tmp/renovate/cache\" -e NPM_CONFIG_CACHE -e npm_config_store -e CI -e YARN_CACHE_FOLDER -w \"/tmp/renovate/repos/gitlab/ad-notam/website\" docker.io/renovate/node bash -l -c \"npm i -g yarn && sed -i 's/ steps,/ steps.slice(0,1),/' /home/ubuntu/.npm-global/lib/node_modules/yarn/lib/cli.js && yarn install --ignore-engines --ignore-platform --network-timeout 100000 --ignore-scripts\"\nerror Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.\n\n    at ChildProcess.exithandler (child_process.js:319:12)\n    at ChildProcess.emit (events.js:376:20)\n    at ChildProcess.emit (domain.js:470:12)\n    at maybeClose (internal/child_process.js:1055:16)\n    at Process.ChildProcess._handle.onexit (internal/child_process.js:288:5)"
       }
DEBUG: lock file error (repository=ad-notam/website, branch=renovate/webpack-packages)
       "err": {
         "killed": false,
         "code": 1,
         "signal": null,
         "cmd": "docker run --rm --name=renovate_node --label=renovate_child -v \"/tmp/renovate/repos/gitlab/ad-notam/website\":\"/tmp/renovate/repos/gitlab/ad-notam/website\" -v \"/tmp/renovate/cache\":\"/tmp/renovate/cache\" -e NPM_CONFIG_CACHE -e npm_config_store -e CI -e YARN_CACHE_FOLDER -w \"/tmp/renovate/repos/gitlab/ad-notam/website\" docker.io/renovate/node bash -l -c \"npm i -g yarn && sed -i 's/ steps,/ steps.slice(0,1),/' /home/ubuntu/.npm-global/lib/node_modules/yarn/lib/cli.js && yarn install --ignore-engines --ignore-platform --network-timeout 100000 --ignore-scripts\"",
         "stdout": "\n> [email protected] preinstall /home/ubuntu/.npm-global/lib/node_modules/yarn\n> :; (node ./preinstall.js > /dev/null 2>&1 || true)\n\n/home/ubuntu/.npm-global/bin/yarn -> /home/ubuntu/.npm-global/lib/node_modules/yarn/bin/yarn.js\n/home/ubuntu/.npm-global/bin/yarnpkg -> /home/ubuntu/.npm-global/lib/node_modules/yarn/bin/yarn.js\n+ [email protected]\nadded 1 package in 1.013s\nyarn install v1.22.11\n[1/4] Resolving packages...\ninfo Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.\n",
         "stderr": "error Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.\n",
         "message": "Command failed: docker run --rm --name=renovate_node --label=renovate_child -v \"/tmp/renovate/repos/gitlab/ad-notam/website\":\"/tmp/renovate/repos/gitlab/ad-notam/website\" -v \"/tmp/renovate/cache\":\"/tmp/renovate/cache\" -e NPM_CONFIG_CACHE -e npm_config_store -e CI -e YARN_CACHE_FOLDER -w \"/tmp/renovate/repos/gitlab/ad-notam/website\" docker.io/renovate/node bash -l -c \"npm i -g yarn && sed -i 's/ steps,/ steps.slice(0,1),/' /home/ubuntu/.npm-global/lib/node_modules/yarn/lib/cli.js && yarn install --ignore-engines --ignore-platform --network-timeout 100000 --ignore-scripts\"\nerror Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.\n",
         "stack": "Error: Command failed: docker run --rm --name=renovate_node --label=renovate_child -v \"/tmp/renovate/repos/gitlab/ad-notam/website\":\"/tmp/renovate/repos/gitlab/ad-notam/website\" -v \"/tmp/renovate/cache\":\"/tmp/renovate/cache\" -e NPM_CONFIG_CACHE -e npm_config_store -e CI -e YARN_CACHE_FOLDER -w \"/tmp/renovate/repos/gitlab/ad-notam/website\" docker.io/renovate/node bash -l -c \"npm i -g yarn && sed -i 's/ steps,/ steps.slice(0,1),/' /home/ubuntu/.npm-global/lib/node_modules/yarn/lib/cli.js && yarn install --ignore-engines --ignore-platform --network-timeout 100000 --ignore-scripts\"\nerror Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.\n\n    at ChildProcess.exithandler (child_process.js:319:12)\n    at ChildProcess.emit (events.js:376:20)\n    at ChildProcess.emit (domain.js:470:12)\n    at maybeClose (internal/child_process.js:1055:16)\n    at Process.ChildProcess._handle.onexit (internal/child_process.js:288:5)"
       },
       "type": "yarn"

Have you created a minimal reproduction repository?

I have linked to a minimal reproduction repository in the bug description

[viceice]

First: --install.frozen-lockfile true should not be in .yarnrc in repo.

Second: we can add --frozen-lockfile false to the yarn v1 invocation as workaround.

We should never overwrite the repo yarnrc anymore, as this will confuse many other renovate users.

[rarkins]

Hopefully cli overrides .yarnrc? If so then we can add it and hopefully resolve it

[ylemkimon]

The CLI cannot override arguments set in the .yarnrc.

[rarkins]

That's a pity! I don't think it's best design either, but I suppose it's too late to change. In that case we need to read, massage and write back the file if it exists

[viceice]

I would then log this as a warning if --install.frozen-lockfile true is found, so users are aways of this crude workaround.

I don't like to support this bad practice 😕

[rarkins]

I don't like it either, but are you sure it's not just our "opinion"? e.g. does the Yarn project recommend against putting it into .yarnrc?

[rarkins]

On the other hand I agree that us needing to massage a file before we can get yarn to work is undesirable and should be noted somehow, so maybe a warning log is not too aggressive :)

[afdev82]

I didn't know it was a bad practice, I thought in fact it was a way to solve the problem that running yarn install in production could update dependencies (just like it does in development).
For that reason I added the flag in the .yarnrc file as suggested by yarn team to avoid this behaviour.
If there is a better way to handle that, just let me know, I'm open to change that.
But I think that yarn install should install and not update packages. As far as I know the flag is needed to get this behaviour.
There is a long issue about that: yarnpkg/yarn#4147

[rarkins]

I think you can run "yarn install --frozen-lockfile" in CI and production as an alternative.
Yarn 2+ has changed the flag and altered terminology and behaviour a little, Eg defaulting this heavier whenever CI=true

[rarkins]

It's definitely a good idea to do immutable/frozen installs in CI, staging and production

[afdev82]

Yes, I think I added the flag in .yarnrc because it was easier not to forget the flag when running yarn install in production.

[jraoult]

@rarkins just found this convo after renovate (GitHub app) started to fail on my repo with the same message. I checked and it is v26 running there now. Are you folks considering reverting this change or is the official view that we should get rid of yarnrc and use command line flag instead?

[rarkins]

@jraoult we aren't considering reverting it, but happy to accept a PR which reintroduces the "massaging" of .yarnrc in order to close this issue. Something along the lines of:

      // Does .yarnrc exist next to yarn.lock?
      // Read file from disk
      // massage content
            .replace('--install.pure-lockfile true', '')
            .replace('--install.frozen-lockfile true', '')
      // if content changed then write new content back to disk
      // Now run yarn

[jraoult]

@rarkins After thinking about what @viceice said, it thought about the rationale for having .yarnrc in the repo in the first place.

Turns out we don't need it because all our CI tools already run yarn with the --frozen-lockfile option and it is indeed a bad idea considering the sort of things that can be put in this file anyway. We decided to remove it from the repo and ask people to create their own file locally to make sure they don't inadvertently update the lock file on install.

[afdev82]

For the CI could be OK, but when I deploy in production I wanted to be sure to not forget the flag when running yarn.
Honestly I found always counterintuitive that the install could modify the lock file.
Is it an issue only for Yarn v1? If it helps, I could update Yarn to v2.
From what I read, nothing changed regarding the behavior in v2, they just changed the option names.

[rarkins]

Reproduction forked to https://github.com/renovate-reproductions/11356

[renovate-release]

🎉 This issue has been resolved in version 32.241.6 🎉

The release is available on:

• GitHub release
• 32.241.6

Your semantic-release bot 📦🚀