How to have yarn fail on yarn install when package.json and yarn.lock are out of sync?

元气小坏坏 提交于 2020-01-24 20:40:24

问题


On a project I have replaced npm with yarn to get the benefits of it, and also enforce our dependencies are locked in via the yarn.lock.

Now, a developer added a library with npm@4, which only changed the package.json, and not of course the the yarn.lock.

I would have expected the yarn install command to crash on the build server, yet yarn has the--to me unexpected behavior--of adding those libraries in their most current version and then updating the yarn.lock on the remote:

$ yarn install
warning ../package.json: No license field
[1/4] Resolving packages...
[2/4] Fetching packages...
warning fsevents@1.1.2: The platform "linux" is incompatible with this module.
info "fsevents@1.1.2" is an optional dependency and failed compatibility check. Excluding it from installation.
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 5.07s.

This besides the purpose I intended, as the build job does not push the yarn.lock back to the repository. I want each developer being responsible of the version they are checking in.

Hence, is there a way to have yarn install exit with an error code if the package.json and yarn.lock are out of sync?


回答1:


You want the --frozen-lockfile parameter:

$ yarn install --frozen-lockfile
yarn install v0.27.5
warning ../package.json: No license field
[1/4] Resolving packages...
error Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.

This was also recently made clear in the docs for yarn install:

yarn install

Install all the dependencies listed within package.json in the local node_modules folder.

The yarn.lock file is utilized as follows:

  • If yarn.lock is present and is enough to satisfy all the dependencies listed in package.json, the exact versions recorded in yarn.lock are installed, and yarn.lock will be unchanged. Yarn will not check for newer versions.
  • If yarn.lock is absent, or is not enough to satisfy all the dependencies listed in package.json (for example, if you manually add a dependency to package.json), Yarn looks for the newest versions available that satisfy the constraints in package.json. The results are written to yarn.lock.

If you want to ensure yarn.lock is not updated, use --frozen-lockfile.



来源:https://stackoverflow.com/questions/45614973/how-to-have-yarn-fail-on-yarn-install-when-package-json-and-yarn-lock-are-out-of

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!