Yarn workspaces monorepo: dependabot PR adds monorepo packages to the yarn.lock

[lxgreen]

Package manager/ecosystem npm Manifest contents prior to update root package.json Updated dependency link to example PR What you expected to see, versus what you actually saw since Oct 17, the dependabot PRs started to add the monorepo packages to the yarn.lock. All the packages have the same pinned version, and there are inter-dependencies between some of them. The monorepo is managed by lerna with yarn workspaces, all the packages are workspaces. Lerna is used for script running, version bump, and publish only -- no bootstrap, no hoisting. The yarn workspaces mechanism is responsible for package linking. when yarn install runs locally, it does not add the packages to the lock file. Images of the diff or a link to the PR, issue or logs here's the all changes diff made from Oct 11 (last time dependabot created a correct PR) till Oct 17 (first PR with the issue reproduced). as you can see, all the package.json files are updated together to the same version.

[jeffwidman]

We've made a number of changes/improvements to Yarn over the past two years.

Is this still an issue?

[jeffwidman]

Closing due to lack of user response.