Add check whether yarn.lock needs to be updated (!83427) · Merge requests · GitLab.org / GitLab

Lukas Eipert requested to merge leipert-add-check-for-extranous-dependencies into master Mar 22, 2022

What does this MR do and why?

Under certain circumstances (bad merges?) the yarn.lock file might ontain extranous root dependencies. This is not a security risk because the dependencies are simply not downloaded. However, it can be confusing because a yarn install updates yarn.lock locally, while a yarn install --frozen-lockfile does not fail in CI.

The last time this happened was after !55062 (merged) was merged.

Interestingly a yarn check --integrity would fail. We already utilize this locally when running yarn run jest. This is also not executed in CI, because we run yarn run jest:ci there. Simply adding the same check to our static-analysis will solve the problem in the future.

Fixes #352786 (closed)

Screenshots or screen recordings

N/A

How to set up and validate locally

Checkout b711569d
Run yarn install --frozen-lockfile => Does not fail
Run yarn check-dependencies => Fails
Run yarn install => Updates lock file

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Mar 22, 2022 by Lukas Eipert

Add check whether yarn.lock needs to be updated

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports