Add check whether yarn.lock needs to be updated
What does this MR do and why?
Under certain circumstances (bad merges?) the yarn.lock file might
ontain extranous root dependencies. This is not a security risk because
the dependencies are simply not downloaded. However, it can be confusing
because a yarn install
updates yarn.lock
locally, while a yarn install --frozen-lockfile
does not fail in CI.
The last time this happened was after !55062 (merged) was merged.
Interestingly a yarn check --integrity
would fail. We already utilize
this locally when running yarn run jest
. This is also not executed in
CI, because we run yarn run jest:ci
there. Simply adding the same
check to our static-analysis
will solve the problem in the future.
Fixes #352786 (closed)
Screenshots or screen recordings
N/A
How to set up and validate locally
- Checkout b711569d
- Run
yarn install --frozen-lockfile
=> Does not fail - Run
yarn check-dependencies
=> Fails - Run
yarn install
=> Updates lock file
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.