$> curl "https://gist.githubusercontent.com/pftg/fa8fe4ca2bb4638fbd19324376487f42/raw/f9056244c416d2f56d6d94290e5ecef5960abf66/rejuvenation.rb" | rubyor
$> ruby rejuvenation.rb
$> yarn install
Last active
March 9, 2023 19:56
-
-
Save pftg/fa8fe4ca2bb4638fbd19324376487f42 to your computer and use it in GitHub Desktop.
Update indirect dependencies in yarn.lock. `ruby rejuvenation.rb & yarn install`
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # USAGE: `$> ruby rejuvenation.rb` | |
| require 'json' | |
| EXTRACT_DEPENDENCY_NAME = /"?(.+?)@.+?"?(?:,\s+|\Z)/.freeze | |
| EXTRACT_DEPENDENCY_DETAILS = /(^((?!= ).*?):\n.*?(?:\n\n|\Z))/m.freeze | |
| def direct_dependencies_names | |
| package_json = JSON.parse(File.open('package.json').read) | |
| direct_dependencies = package_json.fetch_values('dependencies', 'devDependencies', 'peerDependencies') { } | |
| direct_dependencies.compact.inject([]) { |memo, v| memo.concat(v.keys) } | |
| end | |
| @dependencies = direct_dependencies_names | |
| yarn_lock_content = File.open('yarn.lock').read | |
| File.open('yarn.lock', 'w') do |file| | |
| yarn_lock_content.scan(EXTRACT_DEPENDENCY_DETAILS).map do |dependency_block| | |
| direct_dep = @dependencies.include?(dependency_block[1].match(EXTRACT_DEPENDENCY_NAME).to_a[1]) | |
| file.puts dependency_block[0] if direct_dep | |
| end | |
| end | |
| `yarn install` |
It’s hard to set package versions for some indirect dependencies
I don't understand how the conversation turned to controlling the versions of indirect dependencies, when both "yarn upgrade" and this script will result in updating indirect dependencies to the newest available version allowed by their selectors, which seems like the best option in most cases.
Yarn does not upgrade indirect versions, it will eventually installs last indirect version when you are upgrading version from package.json. I think more details you can find in yarnpkg/yarn#4986
So you can use this script in cases when you cannot add them into list. One of the cases when the same package have more then 2 versions in the project and they have breaking changes, you cannot use one package to replace both.
Yarn does not upgrade indirect versions
As niklasholm and others have stated in that thread, that isn't true. "yarn upgrade" will upgrade indirect dependencies. The issue you linked to is a request for enhancement that would allow yarn to upgrade specific indirect dependencies without upgrading all of them.
But upgrading all of the indirect dependencies is what your script appears to do, and what "yarn upgrade" does.
Yeah you are right. This script had been created before, yarn could upgrade indirect deps. So now it’s redundant even for
v1
@gordonmessmer thank you
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It’s hard to set package versions for some indirect dependencies, as I recall something related to work with terminal or other legacy deps.
For example:
Av1 -> Bv1 -> Cv0.1.0
Av1 -> Dv1 -> Cv1.0.0
And you got new security patch Cv1.0.1 and Cv0.1.1
For big and uniq indirect dependencies better if you would put them into package.json, but again, js packages is a big mess.