dependabot-core
dependabot-core copied to clipboard
Yarn workspaces monorepo: dependabot PR adds monorepo packages to the yarn.lock
Package manager/ecosystem
npm
Manifest contents prior to update
root package.json
Updated dependency
link to example PR
What you expected to see, versus what you actually saw
since Oct 17, the dependabot PRs started to add the monorepo packages to the yarn.lock
. All the packages have the same pinned version, and there are inter-dependencies between some of them. The monorepo is managed by lerna with yarn workspaces, all the packages are workspaces. Lerna is used for script running, version bump, and publish only -- no bootstrap, no hoisting. The yarn workspaces mechanism is responsible for package linking. when yarn install
runs locally, it does not add the packages to the lock file.
Images of the diff or a link to the PR, issue or logs
here's the all changes diff made from Oct 11 (last time dependabot created a correct PR) till Oct 17 (first PR with the issue reproduced). as you can see, all the package.json
files are updated together to the same version.
We've made a number of changes/improvements to Yarn over the past two years.
Is this still an issue?
Closing due to lack of user response.