Yarn Up is not respecting the semantic version of a package.

[tonystecca]

Hello all,

I have a mono-repo with 6 folders, each with a package.json file, plus a package.json in the root. Yarn workspaces are set up in the root package.json. None of the sub-folders have node_modules folders and there is one yarn.lock file in the root. Yarn version is 3.2.1. Everything is working but I'm having trouble updating dependencies on a weekly basis.

I'd like to update all minor and patch versions weekly to stay current and resolve security issues. I run yarn up '*' and that updates packages that have newer versions in all package.json files. This is very close to what I want, except that this command updates even the major versions. This is not very convenient - major version updates contain breaking changes and it's not feasible to resolve these on a weekly basis. I was hoping that yarn up would behave more like npm update and respect semantic versioning.

I've tried pinning packages to specific versions with "package-name": "=4.x.x" but yarn up ignores the = and upgrades them to the latest available. I'm attaching a Git diff of before and after yarn up '*'. You can see how Yarn has ignored the semantic version specified in the package.json an updated packages to the next major version.

Am I doing something wrong? I'd like to resolve the issue here in the discussions before raising an issue.

Thanks

[devoto13]

Perhaps -R option may work for you? It will resolve every semver range to the latest matching version (so you stay current and resolve security issues), but it won't update any package.jsons, so it only affects monorepo, not consumers of the packages if you publish them.

If `-R,--recursive` is set the command will change behavior and no other switch
will be allowed. When operating under this mode `yarn up` will force all ranges
matching the selected packages to be resolved again (often to the highest
available versions) before being stored in the lockfile. It however won't touch
your manifests anymore, so depending on your needs you might want to run both
`yarn up` and `yarn up -R` to cover all bases.

[noahnu]

Another option is to use my yarn plugin which adds a yarn semver up command: https://github.com/tophat/yarn-plugin-semver-up