[sdk/NodeJS] Vendor yarn.lock #10619
Labels
area/sdks
Pulumi language SDKs
impact/reliability
Something that feels unreliable or flaky
kind/bug
Some behavior is incorrect or out of spec
language/javascript
resolution/fixed
This issue was fixed
Milestone
What happened?
Currently, the NodeJS SDK does not save the yarn.lock file to the repository. As a result, dependency versions can slip without us knowing, resulting in an unstable supply chain.
I suspect we haven't added this file in the past because the the NodeJS SDK ships both as the library
@pulumi/pulumi
and as the Pulumi runtime executable (/sdk/nodejs/cmd/run/index.js
). The runtime should vendoryarn.lock
but as a library,@pulumi/pulumi
should not. Perhaps we could ship these separately? If so, I can open a separate issue, and indicate that one blocks this issue.This issue is to add
yarn.lock
to the repository.Steps to reproduce
Expected Behavior
We should vendor a yarn.lock file, if only for our runtime.
Actual Behavior
No file exists.
Output of
pulumi about
No response
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: