Add --frozen-lockfile to yarn install commands in CI#17101
Merged
Conversation
rak-phillip
commented
Apr 1, 2026
| @@ -80,7 +80,7 @@ else | |||
| echo "" | |||
| echo "To test with yarn link:" | |||
| echo " cd dist" | |||
| echo " yarn install && yarn link" | |||
| echo " yarn install --frozen-lockfile && yarn link" | |||
Member
Author
There was a problem hiding this comment.
This change isn't needed. It's just a command for developers.
Signed-off-by: Phillip Rak <rak.phillip@gmail.com>
Signed-off-by: Phillip Rak <rak.phillip@gmail.com>
Signed-off-by: Phillip Rak <rak.phillip@gmail.com>
rak-phillip
force-pushed
the
task/ci-frozen-lockfile
branch
from
424b237 to
83472e8
Compare
richard-cox
approved these changes
Apr 2, 2026
Member
richard-cox
left a comment
richard-cox
left a comment
There was a problem hiding this comment.
Looking at the docs https://classic.yarnpkg.com/en/docs/cli/install#toc-yarn-install... they're bad.
From what i can tell neither modify the lock file (yarnpkg/yarn#5847 (comment)), however pure-lockfile will still install package.json ranges whilst frozen-lockfile exits with a failure.
In both cases we should avoid the package.json overriding the lock, so frozen-lockfile seems a good choice (even if it will lead to lots of failures)
This was referenced Apr 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This updates yarn install usage to enforce
--frozen-lockfileacross allyarnandyarn installcommands.Occurred changes and/or fixed issues
--frozen-lockfileto yarn install commands in CI--frozen-lockfileto bareyarncommands--pure-lockfileto--frozen-lockfileTechnical notes summary
--frozen-lockfilemakes installs deterministic by ensuring that yarn installs the exact dependency versions already defined inyarn.lock. If the lockfile is out of sync withpackage.json, the install fails immediately instead of silently re-resolving dependencies or mutating the lockfile.Areas or cases that should be tested
CI should pass without failure.
Areas which could experience regressions
There are some scripts that have been altered, mostly related to extension builds and tooling. I'm not sure if we need to change these files, but if they are run in CI in any way, the answer is yes: the aim of this PR is to prevent accidental lockfile updates during CI runs and to ensure that every pipeline execution installs the same dependency graph.
Screenshot/Video
NA
Checklist
Admin,Standard UserandUser Base