Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yarn_install should use --frozen-lockfile #941

Closed
adam-azarchs opened this issue Jul 26, 2019 · 6 comments · Fixed by #2327
Closed

yarn_install should use --frozen-lockfile #941

adam-azarchs opened this issue Jul 26, 2019 · 6 comments · Fixed by #2327
Assignees
Milestone

Comments

@adam-azarchs
Copy link

🚀 feature request

Relevant Rules

yarn_install, npm_install

Description

In the interest of build reproduciblity, if the lockfile is wrong or incomplete then the build should fail. Running in these frozen modes is often faster as well.

Describe the solution you'd like

  • yarn_install should use yarn install --frozen-lockfile
  • npm_install should use npm ci instead of npm install

This is of course assuming that the relevant tools are new enough to support those arguments.

  • npm added the ci option in 5.7.1. The first node release to ship with npm>5.5.1 was 8.12.0, which could be an issue for versions 8.11.1 or 8.9.1. which are still supported by the rules.
  • yarn has had the --frozen-lockfile parameter since v0.19.0 - much older than any of the supported versions.

Describe alternatives you've considered

Make it optional? Doesn't seem like a good idea, though.

@Globegitter
Copy link
Contributor

My workflow is usually to add a package to the package.json or update it there and then let bazel handle the regeneration of my lock file. So if this was not customizable this imo valid workflow would break.

@adam-azarchs
Copy link
Author

While it wouldn't be how I'd do things, I can see an argument for it. However in the context of for example a CI system, it seems not unreasonable to demand that the lock file is frozen. That's what lock files are for, after all.

@Globegitter
Copy link
Contributor

Yep I do agree in a CI system it makes total sense and I would also be very happy to have it there. I was thinking in general if there is some way we can clean up the attributes for the flags a bit. There is one to add prod_only, one to switch to a local cache via use_global_yarn_cache and one to configure network_timeout and now this would add a fourth attribute and who knows, in the future there might be further ones coming.

Maybe we could just get rid of all of those before 1.0 and have a generic args attribute or extra_args, so the user can pass in whatever flags they want. The only tricky thing is that we use --cwd, --network-timeout, and --mutex per default, so we would need some validation, e.g. cwd should not be overriden, --network-timeout we could probably just override if that is provided but --mutex would need a bit more thinking. So yeah I wonder if we can do this in some nice way. WDYT?

But even if we have it configurable the question is what should be the default and if we should make it configurable on a per-invocation basis. Unfortunately currently bazel only allows that via env vars for repository rules. So we could check for a BAZEL_YARN_FROZEN_LOCKFILE env var or similar to set the flag dynamically.

@gregmagolan gregmagolan added this to the 1.0 milestone Sep 19, 2019
@alexeagle alexeagle removed this from the 1.0 milestone Nov 14, 2019
@github-actions
Copy link

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs in two weeks. Collaborators can add a "cleanup" or "need: discussion" label to keep it open indefinitely. Thanks for your contributions to rules_nodejs!

@github-actions github-actions bot added the Can Close? We will close this in 30 days if there is no further activity label Oct 15, 2020
@DavidANeil
Copy link
Contributor

This can be done through passing args = ["--frozen-lockfile"], to the yarn_install in your WORKSPACE file.

@jbedard jbedard removed the Can Close? We will close this in 30 days if there is no further activity label Oct 15, 2020
@alexeagle alexeagle added this to the 3.0 milestone Oct 27, 2020
@rayman1104 rayman1104 self-assigned this Nov 3, 2020
@alexeagle alexeagle assigned lukasholzer and unassigned rayman1104 Dec 1, 2020
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 2, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 6, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 6, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 6, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 6, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 6, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 6, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 6, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 6, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 8, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 8, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
lukasholzer pushed a commit to lukasholzer/rules_nodejs that referenced this issue Dec 14, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes bazel-contrib#941
alexeagle pushed a commit that referenced this issue Dec 15, 2020
To be more hermetic with the install of the dependencies use the frozen lockfile flag to install the exact version from the `yarn.lock` file.

To update a dependency use the vendored yarn binary with `bazel run @nodejs//:yarn upgrade <dep-name>`.

Fixes #941
@alexeagle
Copy link
Collaborator

#2327 fixed it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants