Support Yarn v2

[eps1lon]

While yarn v2 is still in development alphas are already released and documented: https://yarnpkg.github.io/berry/

Since I'm a big fan of dependabot and yarn v2 I would like those two to get along better.

For the default configuration of yarn v2 dependabot already updates versions correctly. However, it does not update the PnP file of yarn. This means that in a fresh clone of a project that cannot enable zero-install you create a diff by simply running yarn because that will update the pnp.js. I don't know any dev history of dependabot with regards to yarn but it might make more sense for dependabot to "just" run yarn up which should cover package.json, yarn.lock and .pnp.js.

In addition to that a nice enhancement would be to run yarn cache clean for those who have the offline mirror checked into version control.

I solved both of these issues for me by letting a github action cleanup after dependabot by running yarn and yarn cache clean but that does mean dependabot can't make changes to the PR anymore.

A hardcoded yarn.lock filename might also be problematic in the future since the lockfile name is configurable in yarn v2.

[eps1lon]

Should I spam "Any updates" to get attention or how else can I assist?

[imqdee]

Any updates ? 😄
Some projects start to migrate his yarn from v1 to v2, a good compatibility will be more and more requested.

[rebelagentm]

Hi! 👋 We're still pretty swamped integrating Dependabot into GitHub, so we haven't yet gotten to this.

[mormahr]

Now that yarn v2 is out, and pnp is enabled by default, maybe the prioritization of this issue should be revisited. We’re in the process of switching to yarn v2 / pnp, but will for the time being not include the pnp file in the repo, because it’ll cause problems with dependabot. We want to change this to use zero-installs, though.

[anthonator]

Agreed that prioritization on this should be revisited. Dependabot is pretty much broken for anyone using Yarn v2 / pnp.

[anthonator]

Is there anything the community can do to help push this along?

[eps1lon]

I push uncommited changes after yarn install on dependabot branches. This means that you have to recreate PRs instead of letting dependabot rebase them. But this isn't much of an issue for me personally.

Using azure pipelines:

trigger:
  - master

pool:
  name: 'Hosted Ubuntu 1604'
  vmImage: 'ubuntu-latest'

steps:
  - checkout: self
    clean: true
    persistCredentials: true

  - task: NodeTool@0
    inputs:
      versionSpec: '10.16.x'
    displayName: 'Install Node.js'

  - script: |
      yarn install
    displayName: 'Install packages'
  - script: |
      git config --global user.email "silbermann.sebastian@gmail.com"
      git config --global user.name "eps1lon[bot]"
      git add -A
      git status
      git diff-index --quiet HEAD || (git commit  --message 'yarn autofix' && git push -u origin HEAD:$(System.PullRequest.SourceBranch))
    # should test the actor but Build.RequestedFor does not point to dependabot but Microsoft.VisualStudio-something
    condition: and(succeeded(), startsWith(variables['System.PullRequest.SourceBranch'], 'dependabot/'))
    displayName: 'Autofix yarn for dependabot'

You could also include dependency deduplication or other autofixes in here.

[magnus-trent]

Same problem here. Working on Yarnberry Cookbook and dependabot breaks yarn.lock. Opening the generated PRs and running yarn throws YAMLException: end of the stream or a document separator is expected at ...:. So I'm guessing D'bot needs to know Yarn 2. As @eps1lon said,

A hardcoded yarn.lock filename might also be problematic in the future since the lockfile name is configurable in yarn v2.

My guess, maybe there should be a lockfile option or detect the configuration from .yarnrc.yml which might be smarter. Another issue is workspaces, it's also breaking my templates. I'm working on a similar approach as @eps1lon with Actions.