save-cli icon indicating copy to clipboard operation
save-cli copied to clipboard

Published 20 hours ago verified publisher icon saveourtool

Automatize `yarn.lock` or remove it

Open nulls opened this issue 2 years ago • 2 comments 

          > shouldn't it be automatically? @nulls

we have it as a separate task in save-cloud, but we don't have such in save-cli

honestly, I don't understand why we need yarn.lock in save-cli: it doesn't have JS executable artifact, only as a library (and it's a pure kotlin app). Will create an issue for it (if we need the yarn.lock, will create a task for it as in save-cloud),

And still it can fail: even in save-cloud, the task kotlinUpgradeYarnLock is separate and if JS dependency changed by upgrading the kolin (as we see it here) -- it fails

Originally posted by @nulls in https://github.com/saveourtool/save-cli/issues/518#issuecomment-1493915456

nulls avatar Apr 03 '23 08:04 nulls

can we unify updates in JS and in kotlinUpgradeYarnLock into the single action for renovate bot?

nulls avatar Apr 03 '23 09:04 nulls

Without a lockfile, yarn/npm will always resolve version ranges each time build is performed. Some time ago, there was an incident when this setup caused all Kotlin installations to download a certain dependency version that contained malware. Since then, having yarn.lock in Kotlin projects is both enabled by default and recommended.

Here is the blog post about the original issue: https://blog.jetbrains.com/kotlin/2021/10/important-ua-parser-js-exploit-and-kotlin-js/

petertrr avatar Apr 03 '23 09:04 petertrr