From: Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
Date: Thu, 29 Aug 2019 22:38:11 +0000 (+0200)
Subject: "yarn install" should be executed with option "--frozen-lockfile"
X-Git-Tag: 8.0~188
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=a1e6688b2608c06e11b684e8b2f3192dcca99da3;p=sonarqube.git

"yarn install" should be executed with option "--frozen-lockfile"
---

diff --git a/build.gradle b/build.gradle
index fe66bf28542..a967d1a6267 100644
--- a/build.gradle
+++ b/build.gradle
@@ -459,6 +459,12 @@ subprojects {
 def yarnInstallTasks = allprojects.findResults { it -> it.tasks.findByName('yarn') }
 yarnInstallTasks.drop(1).eachWithIndex { it, i -> it.mustRunAfter(yarnInstallTasks[0..i]) }
 
+// by default, Yarn will update lock file if it is not up to date with "package.json"
+// using option "--frozen-lockfile" will disable this behavior and "yarn install" will fail if lock file is out of date
+// all "yarn install" tasks should be executed with this option for reproducibility of builds
+// and to prevent developers from forgetting to update lock file when they update "package.json"
+yarnInstallTasks.each { it -> it.args = ['--frozen-lockfile'] }
+
 
 artifactory {
   clientConfig.setIncludeEnvVars(true)