Closed warner closed 1 year ago
I did a
git pull
today, and ranyarn
just in case, and was surprised to see that it modifiedyarn.lock
.
Even if yarn.lock
were perfectly correct at the time of that commit, can't this happen anyway if new versions of dependent packages have been published on npm, and yarn
finds a more recent version is a better solution to the simultaneous package.json
constraints than the choices that were available at the time?
We commit our lockfile so that (at least notionally) humans are the ones making changes to our dependency tree, in PRs where they can be reviewed, rather than having the set of packages we use get selected at the last moment, on some downstream developer's machine.
Is it realistic to expect that a human reviewer will ever manually read a yarn.lock
file when nothing mysteriously bad is happening? Rather, I see yarn.lock
as a way to snapshot the concrete choices that were made at that time, when things were presumably working.
This enables us to ensure that this tested working state is reproduced in production. And if something bad happens later in development, we have the ability to perfectly reproduce past working states for comparison.
(Figuring these things out on yarn.lock
is good practice for the issues that will arise managing TOFU-based least authority linkage policies. I suspect that'll be harder but not way harder.)
I did a
git pull
today, and ranyarn
just in case, and was surprised to see that it modifiedyarn.lock
. Usually we make a practice of committing an updatedyarn.lock
in the same PR as the changes topackage.json
which provoked the lockfile changes, but something went wrong in a recent PR and they diverged a bit.I was thinking of adding a CI check that the contents of
yarn.lock
before and after the execution ofyarn
are the same. What do people think?We commit our lockfile so that (at least notionally) humans are the ones making changes to our dependency tree, in PRs where they can be reviewed, rather than having the set of packages we use get selected at the last moment, on some downstream developer's machine. This means updates to packages must be done as commits, where perhaps they'll be a bit more deliberate.
Changes to
yarn.lock
don't commute very well, however. If one PR changes apackage.json
, and thus also changesyarn.lock
, and that PR must be rebased past some other changes toyarn.lock
, it's usually really hard to deal with the merge conflict. My usual approach is to put theyarn.lock
change in its own commit, at the end of my PR, so that if someone (maybe me) needs to rebase it, I can snip off that commit, rebase everything else, and then re-runyarn
to regenerate a new final commit. This is a hassle, and I can't expect everyone to follow this practice.I'm not sure what the best practices are here. I imagine other projects have run into this before, and that there might be tooling available (just as "dependabot" can file PRs to update
yarn.lock
-type files). Or maybe we should reconsider keeping this lockfile in version control?