fix: fail when yarn.lock is updated in workspaces when --frozen-lockfile is used

[robin-drexler]

Summary
This PR is an attempt to fix that yarn does not fail when yarn.lock is updated in a workspace project although --frozen-lockfile is used

The current PR version is meant as a starting point as I might have missed something.

The issue seems to be caused because the patterns passed to the integrityChecker only include the root's dependencies. So it never checks if dependencies of workspaces are missing in the lockfile.

I wonder if always setting includeWorkspaceDeps to true in the installation cli command is the right thing to do, especially since those patterns are referred to as topLevelPatterns at a later point, which might indicate that the workspaces dependencies are missing on purpose.

Another idea I had (and that I tried before I found the flag), was to pass all patterns to the integrityChecker, but otherwise leave them as is.

Basically to add:

const dependencies = Array.from(
  this.resolver.getAllDependencyNamesByLevelOrder(patterns)
);

const allPatterns = dependencies.reduce((allPatterns, dependency) => {
  const allInfo = this.resolver.getAllInfoForPackageName(dependency);
  allInfo.forEach(({ _reference: { patterns } }) => {
    for (const pattern of patterns) {
      allPatterns.add(pattern);
    }
  });
  return allPatterns;
}, new Set());

before: https://github.com/yarnpkg/yarn/blob/master/src/cli/commands/install.js#L457 and use allPatterns in place of patterns as argument.

If anybody could point me in the right direction, I'd be happy to continue working on a fix.

Thanks a lot in advance! :)

[robin-drexler]

Hey, is there anything that I can do to push things forward? :)

[kachkaev]

ping folks 👋 🙏

The current behaviour of the --frozen-lockfile argument does match what the docs are saying. Because of that, CI pipelines for PRs succeed even if somebody updated package.json, but did not update yarn.lock. Inconsistent sets of packages land the master branch and cause a lot of confusion down the line.

[nevir]

Same question here: what can we do to help get this in?

[kachkaev]

Some workarounds for CI can be found in #5840

[arcanis]

Hey, sorry for now pinging back sooner.

The change appears sound, but we're currently working on the v2 (scheduled before the end of the year) and I'm somewhat worried about introducing subtle bugs right before releasing the next major (the way I see it, the current v1 is, despite its shortcomings, relatively stable).

One question in particular I'd need to see answered is why isn't includeWorkspaceDeps always on by default? What does it imply to enable it for every install? I don't remember why it got implemented. Maybe @jgoz would remember (#4654)?

[jgoz]

I think I remember why it got implemented in the first place. It’s because running certain commands inside a child workspace needed to consider dependencies across the entire workspace (outdated, upgrade-interactive), mainly because it made more sense from the user’s perspective (maybe? It’s been a long time since I looked at this).

I haven’t fully considered this current change but a safer approach might be to only enable includeWorkspaceDeps when —frozen-lockfile is specified, rather than always enabling it.

I should also note that we long ago switched to using —pure-lockfile in our CI because after reading the docs more carefully, it was the flag we actually wanted.

[robin-drexler]

👋 I know, it's been a while, but is there any chance that this PR could be merged since it got an approval? :)

Thanks a lot!

[NMinhNguyen]

👋 I know, it's been a while, but is there any chance that this PR could be merged since it got an approval? :)

I don't think the approval was from a core maintainer 😕