npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

yarn-unlock-file

v1.1.0

Published

Unlock versions of your indirect dependencies

Downloads

17

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

kasheykashey

Keywords

yarnyarn.lockindirectdependencies

Readme

yarn-unlock file

because there is yarn.lock you want to unlock

Problem statement

When you install a package information about the particular versions used is saved into a lock file. This makes future installs deterministic, as it will always install the same package versions.

However, this also creates a problem - first install and later update can work differently.

  • update: Basically if you already have any package matching allowed range of semver - it will be used.
  • first install: latest version of packages matching sem-version will be installed

This leads into a problem when package authors might need cascade updates and package consumers might be left unprotected from being locked into obsolete versions of transitive dependnecies.

This is discussed as a feature request in yarnpkg/yarn#4986 (opened 11/2017).

when you install a package A that has a dependency on some other package B, and B fixes a security issue and creates a new version for the fix, yarn upgrade is not going to update B for you until A releases a newer version and you upgrade to it. As of writing, there is no direct way to make yarn upgrade indirect dependencies as well.

The purpose of this package is to provide a way to "unlock" indirect dependencies without wiping the whole yarn.lock

working for any yarn-based project including monorepos

Usage

Yarn.lock has its purpose and updating everything at once can lead to hard-to-debug and correct failures. This is why this package provides multiple options to handle different needs

Unlock dev dependencies

This command will update transitive dependencies created by devDependencies only. This is a safe command and you should consider running it on schedule

npx yarn-unlock-file dev
yarn # dont forget to regenerate lock file

Understanding the change

npx yarn-unlock-file dev --dry-run
# will diplay information about packages to be unlocked
npx yarn-unlock-file dev --min-level 1
# will unlock direct dev dependencies (level 1)

Unlock direct dependencies

The sibling command will update all direct dependencies. The ones used for the actual end artifact. With the proper testing in place this can be considered as safe command as well.

npx yarn-unlock-file direct
yarn # dont forget to regenerate lock file

Unlock all

This is unsafe command, as it potentially unlocks too much

npx yarn-unlock-file all
yarn # dont forget to regenerate lock file

Unlock selective

Unlocks given dependency(by glob pattern) and all dependents

# update all material-ui and deps
npx yarn-unlock-file matching "@material-ui/*"
# any types
npx yarn-unlock-file matching "@types/*"
# many react libraries. This will update them to the allowed semver interval
npx yarn-unlock-file matching "react-**"
yarn # dont forget to regenerate lock file

Note

⚠️all commands except all have min-level option configured to 2 to never affect your direct dependencies.

  • Set --min-level 1 to perform more broad updates
  • Set --min-level [more-than-1] to perform more secure

Extra API

Given commands also support a few extra arguments to scope down the update

--only prefix

the following command will update only material-ui packages

npx yarn-unlock-file all --only @material

levels

The following command will print dependencies separated into levels buckets

## prints first-level dependencies
npx yarn-unlock-file levels 1
## prints third-level dependencies
npx yarn-unlock-file levels 3

API

This package exposes a low level API as well But for now - lets keep in undocumented. Use CLI.

See also

  • inspired by https://www.npmjs.com/package/yarn-unlock-indirect-dependencies

License

MIT