Ad

Yarn.lock Is Modified On Dev/live Server

- 1 answer

This is quite strange problem. I believe it was not in there before (in previous versions of yarn or it's some package problem). I'm using yarn on MacOS and deploy application to live server. Yarn on both is latest 1.12.1

On localhost:

  1. I removed node_modules directory
  2. I removed also yarn.lock
  3. I run yarn install to install all fresh dependencies

Now I deployed code to live server (with yarn.lock) and:

  1. I removed node_modules directory
  2. I run yarn install to install all fresh dependencies - it should use yarn.lock and not modify it

The problem is that on live server yarn.lock file is modified.

When I run git diff I'm getting (beginning of diff):

   resolved "https://registry.yarnpkg.com/@xtuc/long/-/long-4.2.2.tgz#d291c6a4e97989b5c61d9acf396ae4fe133a718d"
   integrity sha512-NuHqBY1PB/D8xU6s/thBgOAiAP7HOYDQ32+BFZILJ8ivkUkAHQnWfn6WhL79Owj1qmUnoN/YPhktdIoucipkAQ==

[email protected]:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/abbrev/-/abbrev-1.1.1.tgz#f8f2c887ad10bf67f634f005b6987fed3179aac8"
-  integrity sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==
-
 [email protected]~1.3.4, [email protected]~1.3.5, [email protected]~1.3.7:
   version "1.3.7"
   resolved "https://registry.yarnpkg.com/accepts/-/accepts-1.3.7.tgz#531bc726517a3b2b41f850021c6cc15eaab507cd"
@@ -1071,19 +1066,11 @@ [email protected]~3.1.1:
     normalize-path "^3.0.0"
     picomatch "^2.0.4"

[email protected]^1.0.3, [email protected]^1.1.1:
[email protected]^1.1.1:

As you can see on live server [email protected] is removed from here, and aproba changes from [email protected]^1.0.3, [email protected]^1.1.1: to [email protected]^1.1.1:.

What could be the reason of it? Before it was not happenning and always when I commited modified yarn.lock it was not modified on live server.

Ad

Answer

Use

yarn install --frozen-lockfile

as per the yarn docs:

If you need reproducible dependencies, which is usually the case with the continuous integration systems, you should pass --frozen-lockfile flag.

This is the behavior of yarn install:

Install all the dependencies listed within package.json in the local node_modules folder.

The yarn.lock file is utilized as follows:

  • If yarn.lock is present and is enough to satisfy all the dependencies listed in package.json, the exact versions recorded in yarn.lock are installed, and yarn.lock will be unchanged. Yarn will not check for newer versions.
  • If yarn.lock is absent, or is not enough to satisfy all the dependencies listed in package.json (for example, if you manually add a dependency to package.json), Yarn looks for the newest versions available that satisfy the constraints in package.json. The results are written to yarn.lock.

If you want to ensure yarn.lock is not updated, use --frozen-lockfile.

Ad
source: stackoverflow.com
Ad