Dependabot-core: Support vendoring for JS (specifically yarn-offline-mirror)

Created on 29 Apr 2018 · 5Comments · Source: dependabot/dependabot-core

Yarn has an option (specified in the .yarnrc) to create an offline mirror, that will allow offline installs:

yarn-offline-mirror "./npm-packages-offline-cache"
yarn-offline-mirror-pruning true

This is essentially vendoring, and it would be nice for Dependabot to support it.

See https://github.com/dependabot/feedback/issues/7 for original issue.

vendoring Lyarn feature-request

Source

greysteil

👍3

Most helpful comment

:+1:
Dependabot is really cool, but when every PR it creates in our repos fails CI because it only updates package.json and yarn.lock and NOT our yarn-offline-mirror, its use is fairly limited for us. Our CI (as well as our docker containers) uses yarn install --offline --frozen-lockfile --link-duplicates.
So if dependabot could understand from .yarnrc that the offline mirror is used and add also the files in ./yarn-offline-mirror, it would be awesome.

henhal on 11 Sep 2020

👍4

All 5 comments

7 Support vendoring for Yarn (specifically yarn-offline-mirror) run

dereklutz40 on 16 May 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

stale[bot] on 23 Oct 2019

Oh nooo....

nuc on 23 Oct 2019

henhal on 11 Sep 2020

👍4

almost 3 years now...
i tried using a workflow to update the offline mirror but then dependabot sees the PR as edited by someone else (despite it being the author of the commit)