[Feature] disable lockfile

[paul-marechal]

• I'd be willing to implement this feature
• This feature can already be implemented through a plugin

Describe the user story

When developing libraries, having a lock file can prevent the detection of issues with newer packages, that ultimately will be pulled by dependents.

But maybe still locking dev-dependencies can be useful. This would be up to the developer?

Describe the solution you'd like

In a perfect world, we should be able to choose what dependencies to lock: all, dev, none.

• all would primarily be used by applications (no dependents).
• dev and none could be used for libraries (that have dependents).

It can be a field in .yarnrc.yml, maybe lock: (all|dev|none) ?

Berry should be able to replace already installed dependencies by a new one if available (and not locked) when doing yarn install. It can be annoying to delete the whole node_modules folder every time. Edit: or should a dev use yarn upgrade in this case? it would upgrade dev dependencies as well, which we might not want.

Describe the drawbacks of your solution

Maybe slower installs? I can live with that as long as it does what I want. Only impacts people disabling the lockfile.

Describe alternatives you've considered

Running yarn upgrade often. But this pollutes the commit history in some way, and might lead to merge conflicts on the lockfile. Even though old yarn was able to resolve those conflicts, it is still annoying to land in that state.

Additional context

N/A

[arcanis]

This isn't something we'll implement. More details here.

[paul-marechal]

So the alternative for an active project would be to regularly manually run yarn upgrade and push it upstream every so often?

[arcanis]

Yep. To make that easier, various bots exist that automatically run upgrades periodically and open PRs to run the tests against the new set of dependencies (Renovate / Dependabot).

[elgs]

I tend to get whatever latest and resolve issue if there is any. If they don't want to implement it, whenever I saw that file, I do:

rm -rf yarn.lock 

[JounQin]

@arcanis

We have yarn --no-lockfile, why we can't config it via .yarnrc? It is not constant. And for some libraries, they'd prefer always keeping latest compatible version.

See eslint/markdown#182 (comment)

[merceyz]

See https://yarnpkg.com/getting-started/qa/#should-lockfiles-be-committed-to-the-repository

[JounQin]

See https://yarnpkg.com/getting-started/qa/#should-lockfiles-be-committed-to-the-repository

I've already read it several times. And why yarn --no-lockfile is provided then?

I personally always use yarn.lock, but you shouldn't force people to do that IMO.

[arcanis]

All softwares require baselines, and this is part of ours. There are workarounds if you really want to ignore our advices, there's no reason for us to change anything.