error Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`

Question

I have an issue regarding one dependency in my yarn.lock file. The issue is with ldapjs, the latest version has a bug regarding special characters in user or password so I want to freeze it in the latest working version which is 1.0.2.

As I commited my code to master branch, the step of building this project started to fail saying the message of the title.

Here is my dockerfile

FROM repository/node-oracle:10.15.3

LABEL maintainer="Me"

RUN yarn cache clean

# Add Tini
ENV TINI_VERSION v0.18.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
RUN chmod +x /tini
ENTRYPOINT ["/tini", "--"]

WORKDIR /usr/src/auth

COPY . .

RUN yarn install --frozen-lockfile --non-interactive --silent

ENV PATH /usr/src/auth/node_modules/.bin:$PATH

EXPOSE 3000

CMD ["node", "./bin/www"]

Any work around on how can I make this work?

Also as an extra info, I was able to run the pipeline with this step in a feature branch, the message started in develop and master branch.

[UPDATE]

These are the dependencies updated and freezed in my yarn.lock file

activedirectory@^0.7.2:
  version "0.7.2"
  resolved "https://registry.yarnpkg.com/activedirectory/-/activedirectory-0.7.2.tgz#19286d10c6b24a98cc906dc638256191686fa91f"
  integrity sha1-GShtEMaySpjMkG3GOCVhkWhvqR8=
  dependencies:
    async ">= 0.1.22"
    bunyan ">= 1.3.5"
    **ldapjs "=1.0.2"**
    underscore ">= 1.4.3"

***[email protected]***:
  version "1.0.2"
  resolved "https://registry.yarnpkg.com/ldapjs/-/ldapjs-1.0.2.tgz#346e040a95a936e90c47edd6ede5df257dd21ee6"
  integrity sha512-XzF2BEGeM/nenYDAJvkDMYovZ07fIGalrYD+suprSqUWPCWpoa+a4vWl5g8o/En85m6NHWBpirDFNClWLAd77w==
  dependencies:
    asn1 "0.2.1"
    assert-plus "0.1.5"
    bunyan "0.22.1"
    nopt "2.1.1"
    pooling "0.4.6"
  optionalDependencies:
    dtrace-provider "0.2.8"

Answer 1

Just an Update. After a few attempts I was finally able to do what i wanted. Removing the ^ from ldap.js and from active directory (which contains the ldap.js library) did the job as expected.

Answer 2

I was stuck in the same error and the issue was that my yarn.lock file was not up to date. I followed the following link and it fixed my issue.

Apparently, I just had to run yarn install to update my yarn.lock file and push to the repository.

Answer 3

If we always used yarn install and yarn remove, the lockfile would always be up to date. But many of us edit package.json by hand, which means the lock file can be out of date. My solution has been to (1) always run a yarn install before I make a commit; and as a backstop (2) run this via a husky check:

PACKAGE_CHANGED=$(date +"%s" -r package.json)
LOCKFILE_CHANGED=$(date +"%s" -r yarn.lock)
if [ $PACKAGE_CHANGED -gt $LOCKFILE_CHANGED ]
then
  echo AN EXPLANATION OF THE ERROR
  exit 1
fi

It's good to use --frozen-lockfile. A backstop like this helps the devs remember what's required.

Answer 4

Sometimes the error occurs if the yarn install is run from a folder which contains no yarn.lock file. For example if building inside a docker which contains separate frontend and backend.

Solution 1

In that case go to the specific frontend folder which contains the package.json and yarn.lock folder and run the yarn install from there.

Solution 2

run yarn add <package> which will generate a file yarn.lock in the project base folder if the command is run from the base folder. Copy the contents of that file to the existing yarn.lock. This should solve the problem. Here is a link for yarn add package.