chore(deps): update lockfile to fix audit; pin @types/express due to incompatibility; return --no-lockfile#17
Conversation
…incompatibility; return --no-lockfile
stas-nc
requested review from
b1ff,
blackrabbit99,
m2broth,
wRLSS and
yehor-manzhula
|
|
||
| - name: Install | ||
| run: yarn install --ignore-scripts | ||
| run: yarn install --ignore-scripts --no-lockfile |
There was a problem hiding this comment.
Must Fix — --no-lockfile makes CI non-reproducible
With --no-lockfile Yarn ignores the checked-in yarn.lock entirely and resolves packages fresh from the registry on every run. A newly published breaking patch release can silently fail CI without any code change, and what CI installs diverges from what developers install locally.
The root cause is the jossef/action-set-json-field step mutating package.json mid-job, which causes a lockfile mismatch. However, the matrix currently has only one TypeScript version ("^6.0.0") which already equals the resolutions.typescript value already in package.json — so the override step is a no-op and the mismatch never actually occurs. Use --frozen-lockfile instead:
| run: yarn install --ignore-scripts --no-lockfile | |
| run: yarn install --ignore-scripts --frozen-lockfile |
If multi-version TypeScript testing is reintroduced, the right escape hatch is --update-checksums (regenerates the lockfile after the override) rather than bypassing it entirely.
There was a problem hiding this comment.
Not sure about this one, explaining:
- It's original from tsoa package (I removed it because there was a problem with installing latest types, but after fixing in resolutions, we can put it back). https://github.com/lukeautry/tsoa/blob/master/.github/workflows/runTestsOnPush.yml#L38
- Since this is a distributable library, end consumers will not install sub-dependencies from a lock-file, thus making CI more adapted to real-world scenario.
3 participants
No description provided.