Dependabot-core: yarn.lock as generated by Dependabot is not optimal
This is part of a pull request created by Dependabot, and while this installs perfectly fine, I would expect doctrine@^2.0.0, doctrine@^2.0.2: to change into doctrine@^2.0.0, doctrine@^2.1.0:, so that only 2.1.0 is installed, instead of the current 2.0.2 and 2.1.0
doctrine is a dependency of eslint, that updated from 4.15.0 to 4.16.0
StephanBijzitter
All 5 comments
Thanks for the feedback @StephanBijzitter.
I'm not sure there's an easy way to fix this on Dependabot's side - we lean heavily on Yarn's internals for lockfile generation, and if Yarn doesn't behave perfectly (as it hasn't above) then there's not a lot we can do.
There's an issue open on the yarn repo, but it hasn't had as much love as I'd like. There's also yarn-tools that attempts to fix this, but I'm not 100% sure I trust it...
greysteil
on 23 Jan 2018
Alright, that issue indeed seems to be exactly what I saw in one of our(/dependabot's) PRs. Hopefully they'll be able to resolve it soon. As for this issue, I'll leave it to you to close it if wanted, I've got my answer :-)
StephanBijzitter
on 23 Jan 2018
馃憤 . I'm going to close but add a personal TODO to look into creating a yarn-tools-like PR into Yarn. The core team there are brilliant, but they've got a lot on their plate!
greysteil
on 23 Jan 2018
@greysteil happy to help with that PR
scinos
on 23 Jan 2018
FYI, this made it into Dependabot a few weeks ago - we now de-dup the yarn.lock for the dependency we're updating, based on some custom logic (inspired by yarn-tools). 馃帀
greysteil
on 15 Mar 2018
Related issues
ZebraFlesh
路
3Comments
byjrack
路
3Comments
bennycode
路
3Comments
LankyLou
路
4Comments
Tapchicoma
路
3Comments
Most helpful comment
FYI, this made it into Dependabot a few weeks ago - we now de-dup the
yarn.lockfor the dependency we're updating, based on some custom logic (inspired byyarn-tools). 馃帀