Update resolutions in package.json when it's pinned to the version being updated

[tinovyatkin]

Yarn support selective dependency resolution (https://yarnpkg.com/lang/en/docs/selective-version-resolutions/) via resolutions field in package.json. It will be a good idea and possible prevention of some hard to find errors if Renovate check this field while updating a dependency and updates it too if it pinned to the save version.

[rarkins]

Sounds complicated but useful. Can you provide any real examples of before/after where the resolutions field needed updating?

[rarkins]

Of course, exhaustive requirements are also good, but people usually find it easier to provide examples. I assume one example is dependency X is pinned to v1.5.1 and has v1.5.1 in resolutions too. Then if v1.5.2 is released then presumably we need to update to v1.5.2 in both dependencies/devDependencies and resolutions. More complicated I think if the dependency is not pinned, e.g. ~1.5.0 in dependencies and v1.5.1 in resolutions.

[tinovyatkin]

Real life example:

Due to recent vulnerability discovered in moment, we've pinned it via resolutions to first version with fix (let's say 2.19.3). It works well for all modules depending on moment (we have in our project, for example, moment-timezone and twilio).

Then 2.20.0 was released and Renovate comes with update PR, pinning moment in deps to the 2.20.0, but leaving it in resolutions at 2.19.3. That resulting in some moment dependants, like moment-timezone, to fail to load error with very very very rare exception, hard to debug (as on dev machine we still probably have moment 2.19.3 installed, but on new installs it's missing). As a developer who pinned moment via resolutions was a different to developer that merged Renovate commit it all complicated even more.

But basically, when resolution exists, it must be taken in account by any update of that dependency.

[rarkins]

So updating your resolution for moment to v2.20.0 fixed it?

[tinovyatkin]

Yes.

I'm actually thinking that it's a Yarn problem too, as it should never allow resolutions to do resolutions into non-installed version, but at the moment Renovate can do a good job at least with pinned resolutions.

[tinovyatkin]

One more thing: yarn install --flat fill-up resolutions with exact versions pins, so, I think exact version update must also update the resolutions - it will cover the most common use case.

[rarkins]

I have used or thought about yarn’s flat mode before now, however I think the simple requirement we discussed earlier is ok: “if the old version is pinned to the same version as in resolutions then keep resolutions in lockstep with the new version”