Commit b59d1a0d authored by Lukas Eipert's avatar Lukas Eipert

Add check whether yarn.lock needs to be updated

Under certain circumstances (bad merges?) the yarn.lock file might
contain extranous root dependencies. This is not a security risk because
the dependencies are simply not downloaded. However, it can be confusing
because a `yarn install` updates `yarn.lock` locally, while a `yarn
install --frozen-lockfile` does not fail in CI.

The last time this happened was after
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/55062
was merged.

Interestingly a `yarn check --integrity` would fail. We already utilize
this locally when running `yarn run jest`. This is also not executed in
CI, because we run `yarn run jest:ci` there. Simply adding the same
check to our `static-analysis` will solve the problem in the future.
parent 5fdc0c6d
......@@ -55,6 +55,7 @@ class StaticAnalysis
Task.new(%w[yarn run internal:stylelint], 8),
Task.new(%w[scripts/lint-conflicts.sh], 1),
Task.new(%w[yarn run block-dependencies], 1),
Task.new(%w[yarn run check-dependencies], 1),
Task.new(%w[scripts/lint-rugged], 1),
Task.new(%w[scripts/gemfile_lock_changed.sh], 1)
].compact.freeze
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment