fix: fail when yarn.lock is updated when --frozen-lockfile is used in workspaces

[ohana54]

Summary

This fix was copy-pasted from this PR which will probably not get merged in yarn:
yarnpkg#6554

The motivation is to fix yarnpkg#5840

Test plan

Added a test that verifies yarn install fails if it needs to update yarn.lock due to a workspace dependency mismatch

[ohana54]

Update: I tried running this on real-world setups, and we sometimes get an error like:
expected hoisted manifest for <some-package-name>
I'm investigating although my knowledge around this area is limited :)

[ohana54]

I'm working on a different implementation, the original one is too intrusive and changes too much of how yarn works.

[ohana54]

@VincentBailly thank you for helping pushing this forward :)
I just pushed a hopefully working version. It is much less intrusive, doesn't touch any logic but the missing packages integrity check, which fixed the hoisting errors I had.

Is it possible to run this PR in CI? I don't see any automatic status checks.

[ohana54]

@VincentBailly sorry for bothering, if you could just let me know when you can review so I could adjust my plans accordingly, thanks!

[VincentBailly]

@ohana54 My apology, I missed your previous message, I will look into it tomorrow.

[ohana54]

No problem, really appreciate your help 🙂

[VincentBailly]

I had a try and I observed that the change suggested addresses only one of the various scenarios that would result in a yarn.lock update:

• adding a new dependency in a package.json file: this PR fixes this scenario
• remove a dependency in a package.json file: this scenario is still broken, no error is reported
• manually modifying the yarn.lock file so we have either too many or too few entries: this scenario is still broken (for example, if we manually remove a dependency of our dependencies then yarn will not complain).

From what I see, it seems like the right place to fix this issue is at the yarn.lock generation step. We could compare the generated yarn.lock and the yarn.lock on disk and then fail if they differ, that would prevent us to need to think of all the possible scenarios leading to a modification of the yarn.lock file. This would also be way easier to code and to maintain.

Does it make sense to you @ohana54, or am I missing something? Would you be willing to do this change?

[ohana54]

Thanks for the review, I think it does make sense. I was so focused on the integrity checker being wrong that I haven't thought of that simple solution.

It will require to generate a lockfile inside the integrity checker, meaning we still need to have all the patterns there in order to generate it (similar to the current fix).
Then replace the current missingPatterns check with a lockfile comparison.

Is that direction ok?

[ohana54]

@VincentBailly pushed a new version that does the comparison.
Note that although yarn loads the original lockfile at the start of the install flow, it is being mutated (by calls to getLocked), therefore I had to load it again.

[VincentBailly]

Testing the following scenarios:

• removing a dependency from a package.json
• adding a new dependency to a package.json
• manually removing a transitive dependency from the lock file
• lock file in a merge conflict state

This code correctly failed in all of the tested scenario.

The code looks good to me, thanks for the contribution.

[VincentBailly]

Great work, the version 1.23.21 has been release with this fix.

[ohana54]

Thank you so much! We're so happy this is behind us, we're trying to have reproducible CI builds and this olwas a major blocker.