Yarn: Yarn install documentation recommending --frozen-lockfile for CI builds is too opinionated
Do you want to request a feature or report a bug?
feature
What is the current behavior?
The top of the documentation page states that yarn install --frozen-lockfile is recommended for CI builds, failing a build if the lockfile is out of date.
If the current behavior is a bug, please provide the steps to reproduce.
n/a
What is the expected behavior?
Most organizations don't want to fail a build if the lockfile is out of date. This is too opinionated. This recommendation should be removed, or present the options of --frozen-lockfile oir --pure-lockfile, explaining that --frozen-lockfile will fail the build if a remote dependency is updated (which is highly likely throughout any given day for a project with numerous dependencies)
It's recommended that the documentation be updated to suggest the options of --frozen-lockfile and --pure-lockfile, with an explanation of each.
Please mention your node.js, yarn and operating system version.
n/a: documentation issue
sesopenko
All 3 comments
FWIW, I think this recommendation is correct. If a lockfile is out of date with respect to the package.json, that's a problem and should not be allowed. If such a state is detected on a branch, that branch should not be merged. If your opinion is different, you're welcome to omit --frozen-lockfile or simply log and ignore the error.
UPDATE
鈥β爀xplaining that --frozen-lockfile will fail the build if a remote dependency is updated
This seems to be the main reason for your objection, but I'm pretty sure this is not true. The whole point is that only changes to package.json should trigger changes to yarn.lock.
eventualbuddha
on 31 Oct 2017
Moving to website repo as this issue relates to documentation. Thanks!
Daniel15
on 1 Nov 2017
This issue was moved to yarnpkg/website#700
Daniel15
on 1 Nov 2017
Related issues
catkins
路
3Comments
MunifTanjim
路
3Comments
ocolot
路
3Comments
victornoel
路
3Comments
davidmaxwaterman
路
3Comments
Most helpful comment
FWIW, I think this recommendation is correct. If a lockfile is out of date with respect to the package.json, that's a problem and should not be allowed. If such a state is detected on a branch, that branch should not be merged. If your opinion is different, you're welcome to omit
--frozen-lockfileor simply log and ignore the error.UPDATE
This seems to be the main reason for your objection, but I'm pretty sure this is not true. The whole point is that only changes to package.json should trigger changes to yarn.lock.