Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency: Upgrade Yarn to v4 #24565

Merged
merged 6 commits into from
Oct 25, 2023
Merged

Dependency: Upgrade Yarn to v4 #24565

merged 6 commits into from
Oct 25, 2023

Conversation

JReinhold
Copy link
Contributor

@JReinhold JReinhold commented Oct 24, 2023

Fixes #24552

What I did

Upgrade our internal usage of Yarn to v4.

References:

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

  • stories
  • unit tests
  • integration tests
  • end-to-end tests

Manual testing

  1. Checkout the branch
  2. Run git clean -xdf (beware, will delete all uncommitted files)
  3. Run yarn start which should take you through the whole tasks pipeline and see that it works
  4. git clean -xdf again
  5. yarn task --task=compile --no-link to see that it also compiles in --no-link mode
  6. cd scripts
  7. yarn release:version --exact 0.0.0-canary-test-yarn.0
  8. yarn release:publish --tag canary to see that it correctly attempts to publish. It should output a long list of YN0033: No authentication configured for request errors because you don't have the npm token set, which is the correct output.

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

  • Add or update documentation reflecting your changes
  • If you are deprecating/removing a feature, make sure to update
    MIGRATION.MD

Checklist for Maintainers

  • When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli/src/sandbox-templates.ts

  • Make sure this PR contains one of the labels below:

    Available labels
    • bug: Internal changes that fixes incorrect behavior.
    • maintenance: User-facing maintenance tasks.
    • dependencies: Upgrading (sometimes downgrading) dependencies.
    • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
    • cleanup: Minor cleanup style change. Will not show up in release changelog.
    • documentation: Documentation only changes. Will not show up in release changelog.
    • feature request: Introducing a new feature.
    • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
    • other: Changes that don't fit in the above categories.

🦋 Canary release

This pull request has been released as version 0.0.0-pr-24565-sha-2d556c14. Install it by pinning all your Storybook dependencies to that version.

More information
Published version 0.0.0-pr-24565-sha-2d556c14
Triggered by @JReinhold
Repository storybookjs/storybook
Branch upgrade-yarn-4
Commit 2d556c14
Datetime Tue Oct 24 11:57:48 UTC 2023 (1698148668)
Workflow run 6626437775

To request a new release of this pull request, mention the @storybookjs/core team.

core team members can create a new canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=24565

@JReinhold JReinhold added ci:daily Run the CI jobs that normally run in the daily job. build Internal-facing build tooling & test updates labels Oct 24, 2023
@JReinhold JReinhold changed the title Build: Upgrade Yarn to v4 Monorepo: Upgrade Yarn to v4 Oct 24, 2023
@JReinhold JReinhold changed the title Monorepo: Upgrade Yarn to v4 Dependency: Upgrade Yarn to v4 Oct 24, 2023
@JReinhold JReinhold self-assigned this Oct 24, 2023
@socket-security
Copy link

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages Version New capabilities Transitives Size Publisher
@types/pretty-hrtime 1.0.1 None +0 3.6 kB types
@types/detect-port 1.3.3 None +0 3.84 kB types
yaml 2.3.2 None +0 661 kB eemeli
@types/ejs 3.1.3 None +0 17.3 kB types
@types/uuid 9.0.4 None +0 7.14 kB types
@types/qs 6.9.8 None +0 7.07 kB types
giget 1.1.2 network +0 34.7 kB pi0
@types/cross-spawn 6.0.3 None +4 15.7 MB types
vue 2.7.14 None +4 7.18 MB yyx990803
tocbot 4.21.1 None +0 776 kB tscanlin
ts-loader 9.4.4 None +16 17.4 MB johnnyreilly
@types/babel__preset-env 7.9.3 None +0 7.57 kB types
@types/util-deprecate 1.0.1...1.0.0 None +0/-0 2.69 kB types
@types/webpack-virtual-modules 0.1.3...0.1.2 None +6/-10 4.1 MB types
@types/npmlog 4.1.5...4.1.4 None +0/-0 5.25 kB types
@types/ip 1.1.2...1.1.1 None +1/-0 3.93 MB types
@types/jest-image-snapshot 6.2.2...6.2.1 None +6/-2 4.04 MB types
@types/babel__plugin-transform-runtime 7.9.4...7.9.3 None +0/-0 4.32 kB types
@types/prompts 2.4.7...2.4.5 None +1/-0 3.93 MB types
@types/mock-fs 4.13.3...4.13.2 None +1/-0 3.93 MB types
@types/picomatch 2.3.2...2.3.1 None +0/-0 18.4 kB types
@angular/cli 16.2.7...16.2.4 None +7/-8 3.17 MB google-wombot
@types/webpack-env 1.18.3...1.18.2 None +0/-0 17.3 kB types
@types/js-yaml 4.0.8...4.0.6 None +0/-0 9.65 kB types
@types/ws 8.5.8...8.5.6 None +1/-0 3.94 MB types
@types/jscodeshift 0.11.9...0.11.7 None +0/-0 38.4 kB types
@types/jest-specific-snapshot 0.5.8...0.5.7 None +4/-0 108 kB types
@angular-devkit/build-angular 16.2.7...16.2.4 None +63/-82 28.6 MB google-wombot
@angular/compiler-cli 16.2.10...16.2.7 None +5/-4 14.3 MB google-wombot
@angular/platform-browser-dynamic 16.2.10...16.2.7 None +4/-9 17.8 MB google-wombot
@angular/platform-browser 16.2.10...16.2.7 None +0/-2 780 kB google-wombot
vue-template-compiler 2.7.15...2.7.14 None +0/-0 583 kB yyx990803
@angular/forms 16.2.10...16.2.7 None +1/-4 2.69 MB google-wombot
@angular/compiler 16.2.10...16.2.7 None +0/-2 8.09 MB google-wombot
@types/webpack-hot-middleware 2.25.8...2.25.7 None +9/-4 8.59 MB types
@axe-core/puppeteer 4.8.1...4.7.3 None +2/-2 3.98 MB npmdeque
@preact/preset-vite 2.6.0...2.5.0 None +14/-0 8.88 MB jdecroock
svelte 4.2.2...4.2.1 None +18/-0 6.4 MB svelte-admin
@storybook/icons 1.2.1...1.1.7 None +0/-0 1.26 MB ndelangen
@rollup/pluginutils 5.0.5...5.0.4 None +2/-0 89.1 kB shellscape
@angular-devkit/core 16.2.7...16.2.4 None +1/-0 718 kB google-wombot

🚮 Removed packages: @angular/core@16.2.10, @types/color-convert@2.0.2, @types/compression@1.7.4, @types/lodash@4.14.199, @types/tmp@0.2.5, vue-loader@15.11.1

@socket-security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue Package Version Note Source
New author npm-pick-manifest 8.0.2
New author flat-cache 3.1.0

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm-pick-manifest@8.0.2
  • @SocketSecurity ignore flat-cache@3.1.0

@@ -84,23 +84,23 @@ commands:
jobs:
pretty-docs:
executor:
class: small
class: medium
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI would consistently silently bail on yarn install, this fixed that. We were likely running out of memory.

See "Install" step here silently stopping at "Fetch" step, causing the command to fail completely later.

https://app.circleci.com/pipelines/github/storybookjs/storybook/61775/workflows/4e8ba21c-8f6e-4d2b-b08d-46a6b0c764ab/jobs/588725

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

autodeleted by Yarn 4, included by default in core now

Comment on lines +1 to +3
compressionLevel: mixed

enableGlobalCache: false
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was auto set by Yarn 4. I believe this was the default in Yarn 3 but not Yarn 4, so I didn't want to change it.

@JReinhold JReinhold marked this pull request as ready for review October 24, 2023 07:45
@valentinpalkovic
Copy link
Contributor

@JReinhold We should definitely run a snapshot release on this branch to see whether the workspace:* versions get properly replaced.

@yannbf
Copy link
Member

yannbf commented Oct 24, 2023

LGTM! I'd recommend doing what Valentin said, other than that it looks good.

@JReinhold
Copy link
Contributor Author

@valentinpalkovic @yannbf I've released a canary and tested it out in Mealdrop, it works fine.

@JReinhold JReinhold merged commit 4a12d4a into next Oct 25, 2023
101 of 107 checks passed
@JReinhold JReinhold deleted the upgrade-yarn-4 branch October 25, 2023 08:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Internal-facing build tooling & test updates ci:daily Run the CI jobs that normally run in the daily job.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Investigate upgrading monorepo to Yarn 4
3 participants