-
Notifications
You must be signed in to change notification settings - Fork 800
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Yarn: run with --frozen-lockfile
#14640
Conversation
Caution: This PR has changes that must be merged to WordPress.com |
This is an automated check which relies on |
I really like this idea. I haven't timed it, but I confirmed it does fail out of the build after manually bumping a package version. From a bug standpoint, it is good to have a human-readable package.json and have some assurance it is what is being built. From a security standpoint, it would help us ensure that we aren't building outdated insecure code unintentionally. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works as I'd expect. Leaving it as "Needs Review" for second Crew opinion on the concept.
r202762-wpcom |
I haven't dug very much into this but I realized there was no
--frozen-lockfile
inpackage.json
or in Travis CI config. 🤔That's like running
npm ci
vsnpm install
. I haven't checked but it might also be faster.That would ensure that
package.json
andyarn.lock
are never out of date with each other. It's not like it happens often, but it has happened.Note that if later on project updates to Yarn v2, this will need to be changed to
--immutable
:(via)
Testing instructions
I haven't actually tested this yet since I basically wanted to hear your thoughts first. I think it would go something along the lines of:
yarn build
, confirm it passpackage.json
and then runyarn build
- it should stall