Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Verify integrity of dependencies in production with yarn
See original GitHub issueAfter https://github.com/mozilla/addons-frontend/issues/1391 we will be using yarn to install dependencies in production.
Let’s make sure all packages get installed without any surprises.
- A production install should never upgrade a package or its dependencies, even if a sub-dependency is declared with a loose version range. Please see this detailed example of what we should prevent.
- Verify the integrity of all packages. If one gets tampered with, the install step should fail. (Does yarn already do this by default? Maybe we need
yarn check)
This issue is about preventing malware on NPM from creeping into a production build (see the eslint malware scenario as an example). It would still be possible for a developer to unknowingly introduce malware when upgrading a dependency – that problem is out of scope.
Issue Analytics
- State:
- Created 6 years ago
- Comments:22 (22 by maintainers)
Top Results From Across the Web
yarn check
Verifies that versions of the package dependencies in the current project's package.json match those in yarn's lock file. NOTE: The command yarn check...
Read more >Yarn lock: how it works and what you risk without maintaining ...
Yarn uses that information to check if it needs to update anything – it compares dependency versions currently installed in a project (listed...
Read more >Three simple tricks to speed up yarn install - Developer way
yarn -integrity , where yarn writes down everything that it needs to know about your repository and its installed dependencies. If the content...
Read more >yarn-check-integrity-webpack-plugin - npm package - Snyk
All security vulnerabilities belong to production dependencies of direct and indirect packages. License: MIT. Security Policy: No. We found ...
Read more >Why are some packages missing when I run yarn install?
There is something to do, called integrity check. If you run yarn check it correctly notes the missing dependency. But when you simply...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Sorry if the requirements of this issue were vague. It was also confusing because it made some assumptions about
yarn.lockthat were untrue. I updated the description to better illustrate what I originally intended.I am closing this issue now that it has been verified.
If you want to verify it:
If you remove the
yarn.lockfile and re-install the dependencies (yarn install), you’ll see an update of the sub-dependency (pkg-001). You can see the update by runningnode index.jsagain.If you discard your changes (
git checkout -- .), and re-install the deps, it will be back to the state at (3).