[Feature] upgrade-interactive feature to show workspaces #2591
Labels
enhancement
New feature or request
Comments
|
Was just about to open an issue suggesting the same feature. Glad to see someone has already requested this. I especially like this part:
|
|
Hoping to see this as well in Yarn v2. Came across a feature for Yarn ~v1.2 that implemented something similar: yarnpkg/yarn#4654 (comment) Ideally this feature could also filter the results to just one workspace, too. For example, |
3 tasks
2 tasks
|
I would love to see: or and/or show which workspaces have dependencies when selecting versions. Currently, we have to refer to package.json files to see which versions are in which workspaces. Quite the chore in a large monorepo! |
|
agree! and it gets especially confusing when multiple packages have the same dependency version, but you only want to update one... it worked perfectly fine with yarn1, i dont get how a regression like this could be left unresolved for years |
|
There's a PR open for this here #3260 |
|
I have created a plugin for yarn : https://github.com/eyolas/yarn-plugin-interractive-filter |
2 tasks
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Jun 1, 2024
This plugin allows to resolve some CVEs more surgically that are found in indirect dependencies which are difficult to upgrade without triggering a large change needed and potential migrations, breaking changes to the public APIs of packages. The reason why the above problem happens is because `yarn up` and `yarn up -R` are blunt instruments when it comes to managing a monorepo such as ours: They do their upgrade all-or-nothing, e.g. you can't upgrade a single dependency in a single monorepo package, you must upgrade the dependency project-wide with the mentioned tools, but sometimes we need to perform the upgrade just in a single monorepo package. For example to the above, about 20 packages use web3 but only about 5 of those are using v4.x versions of web3. A new CVE came out covering v4.1.x and so I needed to upgrade web3 only in those packages where web3 was already above v4.0.0 and leave the older ones alone (surgical upgrades). To accomplish this I've found no way to do it with stock yarn CLI commands, but someone who had the exact same problem had written a plugin for solving it. The original issue reported to yarn with the same problem we are having: yarnpkg/berry#2591 The repository where the plugin resides that we are adding in this commit in order to remediate the problem of lack of surgical (per-package) upgrades: https://github.com/eyolas/yarn-plugin-interractive-filter The original CVE that I was investigating as I stumbled upon the solution: - https://github.com/hyperledger/cacti/pull/3264 - https://github.com/hyperledger/cacti/security/dependabot/987 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Merged
5 tasks
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Jun 6, 2024
This plugin allows to resolve some CVEs more surgically that are found in indirect dependencies which are difficult to upgrade without triggering a large change needed and potential migrations, breaking changes to the public APIs of packages. The reason why the above problem happens is because `yarn up` and `yarn up -R` are blunt instruments when it comes to managing a monorepo such as ours: They do their upgrade all-or-nothing, e.g. you can't upgrade a single dependency in a single monorepo package, you must upgrade the dependency project-wide with the mentioned tools, but sometimes we need to perform the upgrade just in a single monorepo package. For example to the above, about 20 packages use web3 but only about 5 of those are using v4.x versions of web3. A new CVE came out covering v4.1.x and so I needed to upgrade web3 only in those packages where web3 was already above v4.0.0 and leave the older ones alone (surgical upgrades). To accomplish this I've found no way to do it with stock yarn CLI commands, but someone who had the exact same problem had written a plugin for solving it. The original issue reported to yarn with the same problem we are having: yarnpkg/berry#2591 The repository where the plugin resides that we are adding in this commit in order to remediate the problem of lack of surgical (per-package) upgrades: https://github.com/eyolas/yarn-plugin-interractive-filter The original CVE that I was investigating as I stumbled upon the solution: - https://github.com/hyperledger/cacti/pull/3264 - https://github.com/hyperledger/cacti/security/dependabot/987 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to hyperledger-cacti/cacti
that referenced
this issue
Jun 6, 2024
This plugin allows to resolve some CVEs more surgically that are found in indirect dependencies which are difficult to upgrade without triggering a large change needed and potential migrations, breaking changes to the public APIs of packages. The reason why the above problem happens is because `yarn up` and `yarn up -R` are blunt instruments when it comes to managing a monorepo such as ours: They do their upgrade all-or-nothing, e.g. you can't upgrade a single dependency in a single monorepo package, you must upgrade the dependency project-wide with the mentioned tools, but sometimes we need to perform the upgrade just in a single monorepo package. For example to the above, about 20 packages use web3 but only about 5 of those are using v4.x versions of web3. A new CVE came out covering v4.1.x and so I needed to upgrade web3 only in those packages where web3 was already above v4.0.0 and leave the older ones alone (surgical upgrades). To accomplish this I've found no way to do it with stock yarn CLI commands, but someone who had the exact same problem had written a plugin for solving it. The original issue reported to yarn with the same problem we are having: yarnpkg/berry#2591 The repository where the plugin resides that we are adding in this commit in order to remediate the problem of lack of surgical (per-package) upgrades: https://github.com/eyolas/yarn-plugin-interractive-filter The original CVE that I was investigating as I stumbled upon the solution: - https://github.com/hyperledger/cacti/pull/3264 - https://github.com/hyperledger/cacti/security/dependabot/987 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
fazzatti
pushed a commit
to fazzatti/cacti
that referenced
this issue
Jun 24, 2024
This plugin allows to resolve some CVEs more surgically that are found in indirect dependencies which are difficult to upgrade without triggering a large change needed and potential migrations, breaking changes to the public APIs of packages. The reason why the above problem happens is because `yarn up` and `yarn up -R` are blunt instruments when it comes to managing a monorepo such as ours: They do their upgrade all-or-nothing, e.g. you can't upgrade a single dependency in a single monorepo package, you must upgrade the dependency project-wide with the mentioned tools, but sometimes we need to perform the upgrade just in a single monorepo package. For example to the above, about 20 packages use web3 but only about 5 of those are using v4.x versions of web3. A new CVE came out covering v4.1.x and so I needed to upgrade web3 only in those packages where web3 was already above v4.0.0 and leave the older ones alone (surgical upgrades). To accomplish this I've found no way to do it with stock yarn CLI commands, but someone who had the exact same problem had written a plugin for solving it. The original issue reported to yarn with the same problem we are having: yarnpkg/berry#2591 The repository where the plugin resides that we are adding in this commit in order to remediate the problem of lack of surgical (per-package) upgrades: https://github.com/eyolas/yarn-plugin-interractive-filter The original CVE that I was investigating as I stumbled upon the solution: - https://github.com/hyperledger/cacti/pull/3264 - https://github.com/hyperledger/cacti/security/dependabot/987 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
sandeepnRES
pushed a commit
to sandeepnRES/cacti
that referenced
this issue
Jul 30, 2024
This plugin allows to resolve some CVEs more surgically that are found in indirect dependencies which are difficult to upgrade without triggering a large change needed and potential migrations, breaking changes to the public APIs of packages. The reason why the above problem happens is because `yarn up` and `yarn up -R` are blunt instruments when it comes to managing a monorepo such as ours: They do their upgrade all-or-nothing, e.g. you can't upgrade a single dependency in a single monorepo package, you must upgrade the dependency project-wide with the mentioned tools, but sometimes we need to perform the upgrade just in a single monorepo package. For example to the above, about 20 packages use web3 but only about 5 of those are using v4.x versions of web3. A new CVE came out covering v4.1.x and so I needed to upgrade web3 only in those packages where web3 was already above v4.0.0 and leave the older ones alone (surgical upgrades). To accomplish this I've found no way to do it with stock yarn CLI commands, but someone who had the exact same problem had written a plugin for solving it. The original issue reported to yarn with the same problem we are having: yarnpkg/berry#2591 The repository where the plugin resides that we are adding in this commit in order to remediate the problem of lack of surgical (per-package) upgrades: https://github.com/eyolas/yarn-plugin-interractive-filter The original CVE that I was investigating as I stumbled upon the solution: - https://github.com/hyperledger/cacti/pull/3264 - https://github.com/hyperledger/cacti/security/dependabot/987 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the user story
Yarn
upgrade-interactiveis a great time-saver!I have workspaces that use different versions of the same package. For example, one workspace is using a version
^4.11.3and another workspace is using versionnext.The problem is that when I run
yarn upgrade-interactive, there is no information about which workspaces are being upgraded, and the information that is displayed is not accurate:This is not accurate because the menu only shows the Current version as
next, despite the fact that there's multiple workspaces, some usingnextand some using^4.11.3.Which workspaces is it going to upgrade if I change the version?
How can the user understand what will be upgraded?
Describe the solution you'd like
A few possible solutions for this:
yarn upgrade-interactive --workspace-versionswould always show the workspace column and always show separate entries for each workspace, not just when there's multiple versions.yarn upgrade-interactive --workspace-versionswould always show a separate section for each workspace.Describe the drawbacks of your solution
If someone was upgrading a messy package with a bunch of workspaces that had different versions of things, they may have to press enter more times.
Describe alternatives you've considered
Since it's ambiguous about which workspaces will be upgraded (Current does not reflect the version used by some workspaces), this could be considered a bug.
The text was updated successfully, but these errors were encountered: