问题
We use Yarn to install dependencies. The yarn-lock file is in the repo. If Compared to composer for php, I would expect that when I run yarn install, that the dependencies are installed based on the lock-file, and the lock file does not change.
With composer install for php, you install always the same version for each package on any environment. I don't see why yarn does not work in a similar way.
I think that with yarn install the lock gets updated too often and the file loses its point since it actually does not lock versions. Or am I using the wrong commands?
回答1:
I think your best bet is using the --frozen-lockfile flag with yarn install.
Docs:
If you need reproducible dependencies, which is usually the case with the continuous integration systems, you should pass --frozen-lockfile flag.
Also
Don’t generate a yarn.lock lockfile and fail if an update is needed.
This way if someone tries to push changes to package.json, say upgrade react from ^16.8.0 to ^16.10.0, without updating the yarn.lock file. Then it will error out in the CI like below.
> yarn install --frozen-lockfile
error Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.
To address your comment:
I think that with yarn install the lock gets updated too often and the file loses its point since it actually does not lock versions. Or am I using the wrong commands?
Yarn/npm is just doing what you tell it to. If you set the version in you package.json to "react": "16.8.0" it will never update the yarn.lock but when using any of the npm ranges like the Caret (i.e. "react": "^16.8.0"), yarn/npm will resolve to the latest version that matches that range. You have all the power!
Update
I found a small edge case. If you are running yarn add in your ci, such as for a ci only dependency, it will update the lock file and do an install for all dependencies. For example....
# Add ci dep
yarn add codecov
# Install all deps from yarn.lock
yarn install --frozen-lockfile
This will not error like you might expect. Instead, add the --frozen-lockfile to yarn add command like this...
# Add ci dep
yarn add codecov --frozen-lockfile
# Install all deps from yarn.lock
yarn install --frozen-lockfile
回答2:
Check the documentation : https://yarnpkg.com/en/docs/cli/install
yarn install is used for both installing packages from package.json and installing from yarn.lock. Presence of yarn.lock file determines whether its a install operation or update operation.
yarn install Install all the dependencies listed within package.json in the local node_modules folder.
The yarn.lock file is utilized as follows:
If yarn.lock is present and is enough to satisfy all the dependencies listed in package.json, the exact versions recorded in yarn.lock are installed, and yarn.lock will be unchanged. Yarn will not check for newer versions. If yarn.lock is absent, or is not enough to satisfy all the dependencies listed in package.json (for example, if you manually add a dependency to package.json), Yarn looks for the newest versions available that satisfy the constraints in package.json. The results are written to yarn.lock.
回答3:
Yarn lock file expect to work the way you explained Your yarn.lock file is auto-generated and should be handled entirely by Yarn. As you add/upgrade/remove dependencies with the Yarn CLI, it will automatically update your yarn.lock file.
来源:https://stackoverflow.com/questions/52630404/how-to-install-packages-based-on-the-lock-file-with-yarn