-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Yarn v2 #1297
Comments
This comment was marked as off-topic.
This comment was marked as off-topic.
Any updates ? 😄 |
Hi! 👋 We're still pretty swamped integrating Dependabot into GitHub, so we haven't yet gotten to this. |
Now that yarn v2 is out, and pnp is enabled by default, maybe the prioritization of this issue should be revisited. We’re in the process of switching to yarn v2 / pnp, but will for the time being not include the pnp file in the repo, because it’ll cause problems with dependabot. We want to change this to use zero-installs, though. |
Agreed that prioritization on this should be revisited. Dependabot is pretty much broken for anyone using Yarn v2 / pnp. |
Is there anything the community can do to help push this along? |
I push uncommited changes after Using azure pipelines: trigger:
- master
pool:
name: 'Hosted Ubuntu 1604'
vmImage: 'ubuntu-latest'
steps:
- checkout: self
clean: true
persistCredentials: true
- task: NodeTool@0
inputs:
versionSpec: '10.16.x'
displayName: 'Install Node.js'
- script: |
yarn install
displayName: 'Install packages'
- script: |
git config --global user.email "[email protected]"
git config --global user.name "eps1lon[bot]"
git add -A
git status
git diff-index --quiet HEAD || (git commit --message 'yarn autofix' && git push -u origin HEAD:$(System.PullRequest.SourceBranch))
# should test the actor but Build.RequestedFor does not point to dependabot but Microsoft.VisualStudio-something
condition: and(succeeded(), startsWith(variables['System.PullRequest.SourceBranch'], 'dependabot/'))
displayName: 'Autofix yarn for dependabot' You could also include dependency deduplication or other autofixes in here. |
Same problem here. Working on Yarnberry Cookbook and dependabot breaks
My guess, maybe there should be a lockfile option or detect the configuration from |
I see that Dependabot can resolve updates for Yarn v2 repo, but chokes on local dependencies such as See Node.js API Starter Kit (Yarn v2 based monorepo), kriasoft/graphql-starter-kit#215. |
Since Dependabot apparently doesn't work at all in our yarn v2 "Zero Install" repo, I wrote a GitHub Actions workflow that basically does what Dependabot did, but with just one PR for all updates: name: Update dependencies
on:
schedule:
- cron: '0 2 * * *'
workflow_dispatch:
jobs:
update:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: yarn up '*'
- name: Create pull request
uses: peter-evans/[email protected]
with:
commit-message: Update all dependencies
branch: automatic_dependency_updates
title: Update all dependencies
body: An updated update of all NPM dependencies.
#labels: auto-merge
#reviewers: # optional |
I'm using a similar as @AArnott does, with a simple plugin for using |
Using the workflow code from here: dependabot/dependabot-core#1297 (comment)
Similar to #1297 (comment), I'm using a GitHub Actions workflow to fix and update PRs created by Dependabot. This way we can still benefit from its version update logic and release notes. name: Dependabot
on:
push:
branches: [ dependabot/npm_and_yarn/** ]
jobs:
build:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 2
persist-credentials: false # minimize exposure
- name: Use Node.js 12.x
uses: actions/setup-node@v1
with:
node-version: '12'
- name: Autofix lockfile
run: |
# change directory
# assuming Angular commit style (build: bump XXX from AAA to BBB in YYY)
# use $8 for default commit message style (Bump XXX from AAA to BBB in YYY)
cd .`git log -1 --pretty=%s | awk '{ print $9 }'`
# restore yarn.lock from the previous commit
git checkout HEAD^ -- yarn.lock
# install yarn-plugin-deduplicate
yarn plugin import https://raw.githubusercontent.com/eps1lon/yarn-plugin-deduplicate/latest/bin/%40yarnpkg/plugin-deduplicate.js
# if package.json was not updated, upgrade the dependency
# assuming Angular commit style (build: bump XXX from ...)
# use $2 for default commit message style (Bump XXX from ...)
git diff --name-only HEAD^ HEAD | grep -q 'package.json' || yarn up `git log -1 --pretty=%s | awk '{ print $3 }'`
# restore package.json from the last commit
git checkout HEAD -- package.json
yarn install
# deduplicate lockfile
yarn deduplicate
env:
YARN_ENABLE_SCRIPTS: 0 # disable postinstall scripts
- name: Config Git
run: |
# use personal access token to allow triggering new workflow
BASIC_AUTH=$(echo -n "x-access-token:${{ secrets.GH_TOKEN }}" | base64)
echo "::add-mask::$BASIC_AUTH"
git config --global user.name '${{ github.event.commits[0].author.name }}'
git config --global user.email '${{ github.event.commits[0].author.email }}'
git config --local http.$GITHUB_SERVER_URL/.extraheader "AUTHORIZATION: basic $BASIC_AUTH"
- name: Commit changes
run: |
cd .`git log -1 --pretty=%s | awk '{ print $9 }'` # ditto
git add yarn.lock .yarn/cache .pnp.* # only add yarn.lock if not using zero-installs
git commit -m "Dependabot autofix"
git push EDIT (Aug. 13): Updated to support subdirectories. The test repo is available at https://github.com/ylemkimon/berry-dependabot-test. |
FYI: I'd recommend not using this in production (at least for now). Issue to track inside the Yarn 2 repo: yarnpkg/berry#1492. |
Thanks for your reply @jurre! I removed separate config for |
Argh, sorry about that. I have a workflow to work around this bug. I was trying to explain why my dependabot PR's had extra commits for working around this. So I put the url to this issue in the commit message and forgot that it would also notify this issue. I'll remove that url from the workflow first thing this morning. Sorry all! |
@tobiasdiez I can't find anything that explains why you're seeing that "Checking now" in the logs and am a bit puzzled. Do you mind if I manually start a new update job from our end? |
Seems to be a Schrödinger bug: once you look at it, it disappeared. Now it displayed " Last checked 11 hours ago " (with an error symbol) and the log is
I didn't start a new run so that you can have a look, but feel free to start a new update if you would like to. |
Quoting myself describing what may be the same issue for @jurre’s convenience in case they have circumstances in common:
In the meantime, we remain satisfied with the original explanation that Dependabot was waiting in a queue. |
I'm starting to lose track of what's happening in this thread, so asking folks to please open a new issue if you're running into things and tag me in it 🙇 |
wondering when this will be generally available - thanks! |
looks like the MR is already merged and it's just waiting for the next release? |
Re calling |
I'm happy to say that Yarn Berry support is now available on all repositories! 🎉 Thanks to everyone for providing valuable feedback and help with getting this shipped! If there are any edge-cases that we've missed, please feel free to open up new issues for those and we'll try to fix them, but I'm going to close this issue out ❤️ |
Thank you @jurre! |
Thank you so much @jurre. Confirmed working on my Yarn v4 repo (https://github.com/eve-val/eve-roster) |
I believe that it's not working with Zero Installs feature together with --immutable option when running yarn. Seems that the
|
@viniciuspalma Create a new issue. See #1297 (comment) Please lock the issue before we get a dozen more "Thank you" responses and people attaching new problems to the ticket. |
@viniciuspalma that should be supported, but please open up a new issue and describe the issue you're having. Links to repo's where it can be reproduced will make it much easier for us to resolve the issue. I'm going to lock this issue as suggested, but please do open up new issues for any problems you run into. |
While yarn v2 is still in development alphas are already released and documented: https://yarnpkg.github.io/berry/
Since I'm a big fan of dependabot and yarn v2 I would like those two to get along better.
For the default configuration of yarn v2 dependabot already updates versions correctly. However, it does not update the PnP file of yarn. This means that in a fresh clone of a project that cannot enable zero-install you create a diff by simply running
yarn
because that will update thepnp.js
. I don't know any dev history of dependabot with regards toyarn
but it might make more sense fordependabot
to "just" runyarn up
which should cover package.json, yarn.lock and.pnp.js
.In addition to that a nice enhancement would be to run
yarn cache clean
for those who have the offline mirror checked into version control.I solved both of these issues for me by letting a github action cleanup after dependabot by running
yarn
andyarn cache clean
but that does mean dependabot can't make changes to the PR anymore.A hardcoded
yarn.lock
filename might also be problematic in the future since the lockfile name is configurable in yarn v2.The text was updated successfully, but these errors were encountered: