Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating yarn packages #173

Merged
merged 2 commits into from
Jan 24, 2020
Merged

Updating yarn packages #173

merged 2 commits into from
Jan 24, 2020

Conversation

awead
Copy link
Contributor

@awead awead commented Jan 22, 2020

Updates everything to the latest, and resolves GHSA-h9rv-jmmf-4pgx related to XSS vulnerabilities with serialize-javascript.

@awead
Copy link
Contributor Author

awead commented Jan 22, 2020

@whereismyjetpack Note the build failure error An unexpected error occurred: "EACCES: permission denied, open '/app/yarn.lock'". This is first time (?) we've updated our JS packages, so could just be something in the setup that we didn't run into until now. Anyway, this is not urgent, but something to fix for this sprint.

@whereismyjetpack
Copy link
Contributor

something went to funk-town with this lock file. i modified Dockerfile to run yarn --frozen-lockfile however, then rails stared barking about the integrity check, so i ran yarn, updated the lock file locally and it's kosher now?

< magic.gif >

@whereismyjetpack
Copy link
Contributor

whereismyjetpack commented Jan 23, 2020
edited
Loading

This still isn't quite right. adding app content should always come after a yarn install. this allows the best level of caching for docker builds.

I don't think the generated lockfile in this case is quite right. I'm not sure how we got here, but if i clone the repository down and run in a folder with a fresh node_modules directory and run an integrity check, this is what i get. i've tried various versions of node and yarn and the results are always the same.

yarn check v1.21.1
warning Integrity check: Lock files don't match

the only way to clear it up is to regenerate the lock file and push it up. I'm curious if you could blow away node_modules and run yarn to generate a new lock file if it fixes it.

@awead awead force-pushed the yarn-updates branch 3 times, most recently from f6400ae to be6528c Compare January 23, 2020 15:51
@awead
Copy link
Contributor Author

awead commented Jan 23, 2020

@whereismyjetpack I don't think we want the integrity check. After rebuilding the lockfile locally with a fresh install of node_modules, the build works. Leaving in the --frozen-lockfile option will ensure that yarn isn't having to pull in any dependencies.

Right now, the build is failing for other reasons: test database isn't available.

@whereismyjetpack
Copy link
Contributor

--frozen-lockfile will ensure the versions of packages in lockfile are installed, without it, it's akin to running bundle update

The integrity check is just a safety net. rails runs this anyway, and i'd much rather have the build break, than the deployment.

https://yarnpkg.com/lang/en/docs/cli/install/#toc-yarn-install-frozen-lockfile
yarnpkg/yarn#4147

@awead
Updating yarn packages
1fa1241 
Updates everything to the latest, and resolves GHSA-h9rv-jmmf-4pgx
related to XSS vulnerabilities with serialize-javascript.

Adds --frozen-lockfile option to the Dockerfile so that deploys will
fail if yarn updates are needed.
@awead awead merged commit 6beca7e into master Jan 24, 2020
@awead awead deleted the yarn-updates branch January 24, 2020 02:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@awead @whereismyjetpack