Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: upgrade Yarn from v3.6.0 to v4.1.0 #3049

Merged
merged 1 commit into from
Mar 4, 2024
Merged

build: upgrade Yarn from v3.6.0 to v4.1.0 #3049

merged 1 commit into from
Mar 4, 2024

Conversation

petermetz
Copy link
Contributor

IMPORTANT: The lock file format has been updated yet again so you
need to run a yarn install after pulling this update on the main branch.

This is not technically a breaking change in the software's APIs but it
is in terms of breaking developer's workflows unless a specific set of
instructions (see above) are performed in order to do the migration.

  1. Upgraded Yarn to v4. Hopefully I didn't miss any of the places where
    the version was/is declared/documented/etc.
  2. Also added a new dependency vulnerability audit script which uses
    npm's own audit script/mechanism under the hood. Previously this was
    broken if you were using Yarn (e.g. pre-v4 releases of Yarn) but now
    we can have the dependency auditing done locally which is a great resource
    because we no longer have to depend only on GitHub's dependabot to tell
    us when a dependency has some vulnerabilities associated with it.

Point 2 is also the motivation behind the upgrade apart from the usual
reason for trying to keep us on the latest and greatest when it comes
to dependencies so that we don't paint ourselves in a corner when old
dependencies start to have hard to fix vulnerabilities.

Signed-off-by: Peter Somogyvari [email protected]

Pull Request Requirements

  • Rebased onto upstream/main branch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.
  • Have git sign off at the end of commit message to avoid being marked red. You can add -s flag when using git commit command. You may refer to this link for more information.
  • Follow the Commit Linting specification. You may refer to this link for more information.

Character Limit

  • Pull Request Title and Commit Subject must not exceed 72 characters (including spaces and special characters).
  • Commit Message per line must not exceed 80 characters (including spaces and special characters).

A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.

@petermetz petermetz enabled auto-merge (rebase) March 3, 2024 04:43
jagpreetsinghsasan
jagpreetsinghsasan approved these changes Mar 4, 2024
View reviewed changes
Copy link
Contributor

@jagpreetsinghsasan jagpreetsinghsasan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, will inform about this to the team once this gets merged

izuru0
izuru0 approved these changes Mar 4, 2024
View reviewed changes
Copy link
Contributor

@izuru0 izuru0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@petermetz
build: upgrade Yarn from v3.6.0 to v4.1.0
6843fea 
**IMPORTANT**: The lock file format has been updated yet again so you
need to run a `yarn install` after pulling this update on the main branch.

This is not technically a breaking change in the software's APIs but it
is in terms of breaking developer's workflows unless a specific set of
instructions (see above) are performed in order to do the migration.

1. Upgraded Yarn to v4. Hopefully I didn't miss any of the places where
the version was/is declared/documented/etc.
2. Also added a new dependency vulnerability audit script which uses
npm's own audit script/mechanism under the hood. Previously this was
broken if you were using Yarn (e.g. pre-v4 releases of Yarn) but now
we can have the dependency auditing done locally which is a great resource
because we no longer have to depend only on GitHub's dependabot to tell
us when a dependency has some vulnerabilities associated with it.

Point 2 is also the motivation behind the upgrade apart from the usual
reason for trying to keep us on the latest and greatest when it comes
to dependencies so that we don't paint ourselves in a corner when old
dependencies start to have hard to fix vulnerabilities.

Signed-off-by: Peter Somogyvari <[email protected]>
@petermetz petermetz force-pushed the build-upgrade-yarn-to-v4 branch from dca6b40 to 6843fea Compare March 4, 2024 06:45
@petermetz
Copy link
Contributor Author

LGTM, will inform about this to the team once this gets merged

@jagpreetsinghsasan Thank you! Please also note that if the yarn install itself fails, clearing all the node_modules folders might help with that.

@petermetz petermetz merged commit 228b7f9 into hyperledger-cacti:main Mar 4, 2024
131 of 147 checks passed
@petermetz petermetz deleted the build-upgrade-yarn-to-v4 branch March 4, 2024 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@izuru0 izuru0 izuru0 approved these changes

@jagpreetsinghsasan jagpreetsinghsasan jagpreetsinghsasan approved these changes

@takeutak takeutak Awaiting requested review from takeutak takeutak is a code owner

@VRamakrishna VRamakrishna Awaiting requested review from VRamakrishna VRamakrishna is a code owner

@sandeepnRES sandeepnRES Awaiting requested review from sandeepnRES sandeepnRES is a code owner

@outSH outSH Awaiting requested review from outSH outSH is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@petermetz @jagpreetsinghsasan @izuru0