-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update resolutions
in package.json when it's pinned to the version being updated
#1318
Comments
Sounds complicated but useful. Can you provide any real examples of before/after where the resolutions field needed updating? |
Of course, exhaustive requirements are also good, but people usually find it easier to provide examples. I assume one example is dependency X is pinned to v1.5.1 and has v1.5.1 in resolutions too. Then if v1.5.2 is released then presumably we need to update to v1.5.2 in both dependencies/devDependencies and resolutions. More complicated I think if the dependency is not pinned, e.g. ~1.5.0 in dependencies and v1.5.1 in resolutions. |
Real life example: Due to recent vulnerability discovered in Then 2.20.0 was released and Renovate comes with update PR, pinning But basically, when |
So updating your resolution for moment to v2.20.0 fixed it? |
Yes. I'm actually thinking that it's a Yarn problem too, as it should never allow |
One more thing: |
I have used or thought about yarn’s flat mode before now, however I think the simple requirement we discussed earlier is ok: “if the old version is pinned to the same version as in resolutions then keep resolutions in lockstep with the new version” |
Yarn support selective dependency resolution (https://yarnpkg.com/lang/en/docs/selective-version-resolutions/) via
resolutions
field inpackage.json
. It will be a good idea and possible prevention of some hard to find errors if Renovate check this field while updating a dependency and updates it too if it pinned to the save version.The text was updated successfully, but these errors were encountered: