Support vendoring for Yarn (specifically yarn-offline-mirror)

[dylanharrington]

Hey, nice product!

I have a project with a .yarnrc at the root containing:

yarn-offline-mirror "./npm-packages-offline-cache"
yarn-offline-mirror-pruning true

This causes each yarn command (e.g. add, remove) to update npm-packages-offline-cache with the necessary .tgz files to do an --offline installation, and we keep it in version control.

Does Dependabot currently support this? If not, would you consider it?

Thanks

[greysteil]

Hey Dylan, Sounds like this would require censoring, which we don’t support at the moment but could in future. I also noticed that you signed up for a paid Dependabot plan for your personal account. Dependabot is free for personal accounts! Please do change that over to a free account :-)

…

On 28 Apr 2018, at 21:10, Dylan Harrington ***@***.***> wrote: Hey, nice product! I have a project with a .yarnrc at the root containing: yarn-offline-mirror "./npm-packages-offline-cache" yarn-offline-mirror-pruning true This causes each yarn command (e.g. add, remove) to update npm-packages-offline-cache with the necessary .tgz files to do an --offline installation, and we keep it in version control. Does Dependabot currently support this? If not, would you consider it? Thanks — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[greysteil]

censoring -> vendoring in the above comment. Rather amusing autocorrect!

[greysteil]

FYI, I've moved this across to dependabot/dependabot-core#462, as it's an issue with Dependabot Core and that code is open source.

Vendoring is something I'd like Dependabot to be able to handle in general, and will be necessary when we add Go support, which is coming. Long story short: we'll definitely get to this, but it's a slightly tricky problem because Dependabot doesn't clone your repo (and for security reasons probably shouldn't start doing so).

[dylanharrington]

Makes sense, thanks!