Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[sdk/NodeJS] Vendor yarn.lock #10619

Closed
RobbieMcKinstry opened this issue Sep 3, 2022 · 0 comments · Fixed by #10815
Closed

[sdk/NodeJS] Vendor yarn.lock #10619

RobbieMcKinstry opened this issue Sep 3, 2022 · 0 comments · Fixed by #10815
Assignees
@AaronFriel
Labels
area/sdks Pulumi language SDKs impact/reliability Something that feels unreliable or flaky kind/bug Some behavior is incorrect or out of spec language/javascript resolution/fixed This issue was fixed
Milestone
0.78

Comments

@RobbieMcKinstry
Copy link
Contributor

What happened?

Currently, the NodeJS SDK does not save the yarn.lock file to the repository. As a result, dependency versions can slip without us knowing, resulting in an unstable supply chain.

I suspect we haven't added this file in the past because the the NodeJS SDK ships both as the library @pulumi/pulumi and as the Pulumi runtime executable (/sdk/nodejs/cmd/run/index.js). The runtime should vendor yarn.lock but as a library, @pulumi/pulumi should not. Perhaps we could ship these separately? If so, I can open a separate issue, and indicate that one blocks this issue.

This issue is to add yarn.lock to the repository.

Steps to reproduce

  1. Inspect the git tree at /sdk/nodejs/ and observe no yarn.lock

Expected Behavior

We should vendor a yarn.lock file, if only for our runtime.

Actual Behavior

No file exists.

Output of pulumi about

No response

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@RobbieMcKinstry RobbieMcKinstry added kind/bug Some behavior is incorrect or out of spec area/sdks Pulumi language SDKs impact/reliability Something that feels unreliable or flaky language/javascript labels Sep 3, 2022
@AaronFriel AaronFriel mentioned this issue Sep 21, 2022
Merged
@AaronFriel AaronFriel self-assigned this Sep 22, 2022
@AaronFriel AaronFriel added this to the 0.78 milestone Sep 22, 2022
@bors bors bot closed this as completed in f033d9d Sep 22, 2022
@pulumi-bot pulumi-bot added the resolution/fixed This issue was fixed label Sep 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AaronFriel AaronFriel

Labels
area/sdks Pulumi language SDKs impact/reliability Something that feels unreliable or flaky kind/bug Some behavior is incorrect or out of spec language/javascript resolution/fixed This issue was fixed
Projects
None yet
Milestone
0.78
Development

Successfully merging a pull request may close this issue.

ci: Pin yarn lockfile for security & dependency scanning pulumi/pulumi
3 participants
@AaronFriel @RobbieMcKinstry @pulumi-bot