-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Lock file only updates (skip modules install) #2908
Comments
You likely would write a new command rather than change the behaviour of The "lockfile" part of the install is available in the module.exports = {
name: `@yarnpkg/lockfile-only-install`,
factory: req => {
return {
const {Configuration, Cache, Project, StreamReport} = require(`@yarnpkg/core`);
const {Command} = require(`clipanion`);
commands: [
class LockfileOnlyInstall extends Command {
static paths = [[`install-lockfile-only`]];
async execute() {
const configuration = await Configuration.find(this.context.cwd, this.context.plugins);
const {project, workspace, locator} = await Project.find(configuration, this.context.cwd);
const cache = await Cache.find(configuration);
const report = await StreamReport.start({
configuration,
stdout: this.context.stdout,
}, async report => {
await project.resolveEverything({cache, report});
await project.persist();
});
return report.exitCode();
}
},
],
};
},
}; |
Thanks! I realized that I overlooked one important point. Users who commit the Yarn cache need to do much more than just update the |
For those cases (when the cache is checked inside the repo) then you could also call |
@arcanis I wonder whether it'd be possible to calculate/generate the checksum in the lockfile without fetching the package. |
Hmm - probably not, as the checksums are based on the zip archives, not the tgz the registries return. Unless the npm registry was to support zip packages (unlikely), fetching will always be needed to generate a full lockfile 🤔 (unless you cache it somewhere on the Renovate infra, that is) |
The challenge is:
Would there be a deterministic mapping of tgz sha -> zip sha? I know this would be another difficult problem to solve but would it be theoretically possible to keep a DB of zip SHAs, mapped back to the registry's tgz SHAs? |
Another way would be to fetch only relevant packages that need to be updated, i.e., of which checksum doesn't exist. I think this can be implemented by skipping |
I've created a PR in #2913 and tested it via Renovate in https://github.com/ylemkimon/KaTeX/pulls. It successfully updates the checksum. |
Describe the user story
As a Yarn user, I want to be able to update the Yarn lock file to match my
package.json
file(s) without needing to download all dependencies.Describe the solution you'd like
The ideal solution would be a flag like
--lock-file-only
where Yarn resolves dependencies, updatesyarn.lock
accordingly, then exits before downloading modules.However for Yarn v1 we had a one-line "hack" which is also perfectly sufficient: https://github.com/renovatebot/renovate/blob/22e982503c5d4bff4b0581a524ebf3e340a59648/lib/manager/npm/post-update/yarn.ts#L47
This hack tricked Yarn into exiting early and gracefully, and a similar trick would be fine for Yarn 2+.
Describe the drawbacks of your solution
The main drawback would be maintainability if the solution adds any non-trivial branches of logic.
Describe alternatives you've considered
A plugin solution would be OK but I'm not sure whether the hooks are yet "deep" enough to allow such a change to core functionality. If there were sufficient hooks, then a new command like
yarn update-lockfile
would be a great alternative.The text was updated successfully, but these errors were encountered: