Automatize yarn.lock or remove it

[nulls]

          > shouldn't it be automatically? @nulls

we have it as a separate task in save-cloud, but we don't have such in save-cli

honestly, I don't understand why we need yarn.lock in save-cli: it doesn't have JS executable artifact, only as a library (and it's a pure kotlin app). Will create an issue for it (if we need the yarn.lock, will create a task for it as in save-cloud),

And still it can fail: even in save-cloud, the task kotlinUpgradeYarnLock is separate and if JS dependency changed by upgrading the kolin (as we see it here) -- it fails

Originally posted by @nulls in #518 (comment)

[nulls]

can we unify updates in JS and in kotlinUpgradeYarnLock into the single action for renovate bot?

[petertrr]

Without a lockfile, yarn/npm will always resolve version ranges each time build is performed. Some time ago, there was an incident when this setup caused all Kotlin installations to download a certain dependency version that contained malware. Since then, having yarn.lock in Kotlin projects is both enabled by default and recommended.

Here is the blog post about the original issue: https://blog.jetbrains.com/kotlin/2021/10/important-ua-parser-js-exploit-and-kotlin-js/