Yarn version differences between distros

[meisterT]

We are using Yarn for frontend deps now. Ubuntu LTS comes with Yarn 1.x, while debian stable comes with Yarn 4.x. Yarn changed the lockfile format between version 1 and 2, so any time you run yarn install on debian, it will change the lockfile format, showing up in git diff and potentially being added to PRs where it would break other people who are stuck with older versions of Yarn.

Adding --immutable or --frozen-lockfile doesn't help, as Yarn fails then with something like:

... lots of output ...
➤ YN0028: │ The lockfile would have been modified by this install, which is explicitly forbidden.
➤ YN0000: └ Completed
➤ YN0000: · Failed with errors in 0s 265ms

Let's think about how to best resolve this:

• Add the file to .gitignore. Then you would need to do git add -f webapp/yarn.lock on actual desired changes, and you would have to do this on a machine where Yarn 1.x is available.
• Force debian users to somehow downgrade their Yarn version, e.g. by adding some apt sources that allow it or use npm to install it.
• Force Ubuntu users to somehow upgrade their Yarn version, by using similar mechanisms than debian users would need to use for the downgrade.
• Any other options?

[vmcj]

For us this is mainly a problem for development or inplace-installs, during the finals we already need to provide a tarball of the dependencies (both yarn & composer).

So I think upgrading for ubuntu users is the easiest as that seems to be the only distro which is behind at this point?

[Kevinjil]

Arch and derived distros only package yarn classic:

❯  pacman -Qi yarn
Name            : yarn
Version         : 1.22.22-2
Description     : Fast, reliable, and secure dependency management
Architecture    : any
URL             : https://classic.yarnpkg.com/
Licenses        : BSD-2-Clause
Groups          : None
Provides        : None
Depends On      : nodejs
Optional Deps   : None
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 19.26 MiB
Packager        : Daniel M. Capella <polyzen@archlinux.org>
Build Date      : 2024-07-11T02:00:44 CEST
Install Date    : 2024-08-28T00:23:50 CEST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

[Kevinjil]

@meisterT Yarn differentiates between don't generate and fail vs don't generate and continue:

    --pure-lockfile                     don't generate a lockfile
    --frozen-lockfile                   don't generate a lockfile and fail if an update is needed

In yarn 2+, --frozen-lockfile was renamed to --immutable, which by design fails when a change is needed:

If the --immutable option is set (defaults to true on CI), Yarn will abort with an error exit code if the lockfile was to be modified (other paths can be added using the immutablePatterns configuration setting). For backward compatibility we offer an alias under the name of --frozen-lockfile, but it will be removed in a later release.

I installed yarn 4.x to try, but the --pure-lockfile seems to be gone, even though their changelog does not include this breaking change in any release.