Support updating Yarn binary

[ylemkimon]

What would you like Renovate to be able to do?

Update the Yarn (JavaScript package manager) binary to the latest version.

If you have any ideas on how this should be implemented, please tell us here.

The current version can be detected from .yarnrc.yml:

yarnPath: .yarn/releases/yarn-3.0.1.cjs

(However, the version cannot be detected if upgraded from Yarn 1:

yarnPath: ".yarn/releases/yarn-berry.cjs"

In this case, I think it should always run. )

The version data can be fetched from the npm @yarnpkg/cli package (npm datasource).

It can be updated by running:

yarn set version <version>
yarn install # update lockfile and cache

Afterwards, following paths should be commited:

.yarn/releases
.yarn/cache # if zero-installs is used
.pnp.cjs # if zero-installs is used
.yarnrc.yml
package.json
yarn.lock

Is this a feature you are interested in implementing yourself?

Yes

[viceice]

I think this should be a new yarn-version manager. So we don't make the npm manager more complicated. 🤔

[rarkins]

Yes you're right

[github-actions]

Hi there,

You're requesting support for a new package manager. We need to know some basic information about this package manager first. Please copy/paste the new package manager questionnaire, and fill it out in full.

Once the questionnaire is filled out we will evaluate if adding support for this manager is something we want to do.

Good luck,

The Renovate team

[ylemkimon]

New package manager questionnaire

Did you read our documentation on adding a package manager?

• I've read the adding a package manager documentation.

Basics

Name of package manager

yarn-version

What language does this support?

Yarn package manager (JavaScript)

How popular is this package manager?

We were at ~1k reported weekly users in late January (which of course doesn't include CIs and opted-out users/projects), and now at ~4k two months later.

from dependabot/dependabot-core#1297.

GitHub search shows 6,252 results for YAML with yarnPath config.

Does this language have other (competing?) package managers?

• Yes (give names)
• No

---

Package File Detection

What type of package files and names does it use?

.yarnrc.yml

What fileMatch pattern(s) should be used?

(^|/)\.yarnrc\.yml$

Is it likely that many users would need to extend this pattern for custom file names?

• Yes
• No

Is the fileMatch pattern likely to get many "false hits" for files that have nothing to do with package management?

No. It's almost exclusively used with Yarn Berry.

---

Parsing and Extraction

Can package files have "local" links to each other that need to be resolved?

No.

Is there a reason why package files need to be parsed together (in serial) instead of independently?

No. Only the innermost .yarnrc.yml is used if the multiple files exist and it'd be highly unlikely.

What format/syntax is the package file in?

• JSON
• TOML
• YAML
• Custom (explain below)

How do you suggest parsing the file?

• Off the shelf parser
• Using regex
• Custom-parsed line by line
• Other

Does the package file structure distinguish between different "types" of dependencies? e.g. production dependencies, dev dependencies, etc?

• Yes, production and development dependencies
• No, all dependencies are treated the same

List all the sources/syntaxes of dependencies that can be extracted

yarnPath: .yarn/releases/yarn-3.0.1.cjs

Describe which types of dependencies above are supported and which will be implemented in future

The manager handles only a single dependency, Yarn itself.

---

Versioning

What versioning scheme does the package file(s) use?

Semantic Versioning

Does this versioning scheme support range constraints, e.g. ^1.0.0 or 1.x?

• Supports range constraints (e.g ^1.0.0 or 1.x)
• No

Is this package manager used for applications, libraries, or both? If both, is there a way to tell which is which?

• Applications
• Libraries
• Both (explain how to tell which is which)

If ranges are supported, are there any cases when Renovate should pin ranges to exact versions if rangeStrategy=auto?

N/A

---

Lookup

Is a new datasource required? Provide details

• Yes, provide details.
• No.

npm datasource for @yarnpkg/cli can be used.

Will users need the capability to specify a custom host/registry to look up? Can it be found within the package files, or within other files inside the repository, or would it require Renovate configuration?

Existing npm datasource can be used.

Do the package files contain any "constraints" on the parent language (e.g. supports only v3.x of Python) or platform (Linux, Windows, etc) that should be used in the lookup procedure?

Existing npm datasource can be used.

Will users need the ability to configure language or other constraints using Renovate config?

Existing npm datasource can be used.

---

Artifacts

Are lock files or checksum files used? Are they mandatory?

Yes:

.yarnrc.yml
.yarn/releases # Yarn binary file
.yarn/cache
.pnp.cjs # if zero-installs is used, these paths vary depeding on `.yarnrc.yml`
package.json # packagemanager field
yarn.lock

If so, what tool and exact commands should be used if updating one or more package versions in a dependency file?

yarn set version <version>
yarn install

If applicable, describe how the tool maintains a cache and if it can be controlled via CLI or env? Do you recommend the cache be kept or disabled/ignored?

N/A

If applicable, what command should be used to generate a lock file from scratch if you already have a package file? This will be used for "lock file maintenance"

N/A

[renovate-release]

🎉 This issue has been resolved in version 28.21.0 🎉

The release is available on:

• GitHub release
• 28.21.0

Your semantic-release bot 📦🚀