From e7c5cf0bcab48c9d93fc1e25ecf8f188f7385f18 Mon Sep 17 00:00:00 2001 From: Jurre Stender Date: Mon, 3 Oct 2022 13:17:43 +0200 Subject: [PATCH] Yarn Berry: Run commands in `update-lockfile` mode Yarn Berry commands related to performing updates can run in a mode called `update-lockfile`, which was purpose-built for exactly what Dependabot does: ``` - `update-lockfile` will skip the link step altogether, and only fetch packages that are missing from the lockfile (or that have no associated checksums). This mode is typically used by tools like Renovate or Dependabot to keep a lockfile up-to-date without incurring the full install cost. ``` This makes yarn berry updates _significantly_ more performant, but it has the downside that when the yarn cache is committed to the repo, old entries in there are not cleaned up. Everything still works as expected when this happens, but over time it could lead to that cache folder getting larger than is necessary. I've opened an issue about this upstream: https://github.com/yarnpkg/berry/issues/4886, not entirely sure if this is a bug or just a consequence of how this works. For now I think it's worth the trade-off, as many projects don't commit the cache folder to repo, and the performance benefits are very significant. I'll try to find some time to address this upstream. --- .../npm_and_yarn/file_updater/yarn_lockfile_updater.rb | 8 ++++---- .../spec/dependabot/npm_and_yarn/file_updater_spec.rb | 1 - 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb index 822b989f4d..6f1bcd5eff 100644 --- a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +++ b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb @@ -161,7 +161,7 @@ def run_yarn_berry_top_level_updater(top_level_dependency_updates:, yarn_lock:) # updated to a single new version, so we just pick the first one. "#{dep[:name]}@#{dep[:requirements].first[:requirement]}" end - command = "yarn add #{updates.join(' ')}" + command = "yarn add #{updates.join(' ')} --mode=update-lockfile" Helpers.run_yarn_commands(command) { yarn_lock.name => File.read(yarn_lock.name) } end @@ -171,9 +171,9 @@ def run_yarn_berry_subdependency_updater(yarn_lock:) update = "#{dep.name}@#{dep.version}" Helpers.run_yarn_commands( - "yarn add #{update}", - "yarn dedupe #{dep.name}", - "yarn remove #{dep.name}" + "yarn add #{update} --mode=update-lockfile", + "yarn dedupe #{dep.name} --mode=update-lockfile", + "yarn remove #{dep.name} --mode=update-lockfile" ) { yarn_lock.name => File.read(yarn_lock.name) } end diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater_spec.rb index c8eb16ebaf..eab2664d36 100644 --- a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater_spec.rb +++ b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater_spec.rb @@ -2995,7 +2995,6 @@ it "updates the .yarn/cache folder" do expect(updated_files.map(&:name)).to match_array( [ - ".yarn/cache/fetch-factory-npm-0.0.1-e67abc1f87-ff7fe6fdb8.zip", ".yarn/cache/fetch-factory-npm-0.0.2-816f8766e1-200ddd8ae3.zip", ".yarn/install-state.gz", "package.json",