I have recently encountered behaviour in a project that left me concerned and thought I would seek the opinion of the community.
Context: A build pipeline failed while running yarn install --immutable with an unexpected error, The remote archive doesn't match the expected checksum, the root cause being unimportant to this conversation. A solution proposed was to use checksumBehavior: update as suggested in https://www.reddit.com/r/learnjavascript/comments/qsr87e/yarn_checksum_failures/.
If the --immutable option is set (defaults to true on CI), Yarn will abort with an error exit code if the lockfile was to be modified (other paths can be added using the immutablePatterns configuration setting). For backward compatibility we offer an alias under the name of --frozen-lockfile, but it will be removed in a later release.
Given these details, logically you would expect that checksumBehavior shouldn't work when the --immutable flag is set, but in testing this wasn't the case.
I have recently encountered behaviour in a project that left me concerned and thought I would seek the opinion of the community.
I draw attention to the following 2 links:
If update, the lockfile will be updated to match the cached checksum.Given these details, logically you would expect that
checksumBehaviorshouldn't work when the--immutableflag is set, but in testing this wasn't the case.Commentary would be greatly appreciated