Home / JavaScript / Miscellaneous

Creates a comment inside Pull Request with the human-readable summary of changes to the Yarn lock file.

Yarn Lock Changes     Creates a comment inside Pull Request with the human-readable summary of the changes to the yarn.lock file. Works in public and
Information
Category: JavaScript / Miscellaneous
Watchers: 1
Star: 80
Fork: 1
Last update: Sep 19, 2021
Resource links
https://github.com/marketplace/actions/yarn-lock-changes
https://github.com/Simek/yarn-lock-changes

Yarn Lock Changes

Creates a comment inside Pull Request with the human-readable summary of the changes to the yarn.lock file. Works in public and private repositories, offers a degree of customization.

Usage

- name: Yarn Lock Changes
  # for now, use `main` before the stable release will be published as `v1`
  uses: Simek/[email protected] 
  with:
    token: ${{ secrets.GITHUB_TOKEN }}

Inputs

Input Required Default Description
collapsibleThreshold No '25' Number of lock changes, which will result in collapsed comment content an addition of summary table.
failOnDowngrade No 'false' When a dependency downgrade is detected, fail the action. Comment will still be posted.
path No 'yarn.lock' Path to the yarn.lock file in the repository. Default value points to the file at project root.
token Yes GitHub token for the bot, so it can publish a comment in the pull request.
updateComment No 'true' Update the comment on each new commit. If value is set to 'false', bot will post a new one on each change.

Workflow Example

Example below includes all the optional inputs for the action (set to their default values), if you are happy with generated output, it's safe to remove all of them (besides required token).

name: Yarn Lock Changes
on: [pull_request]

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/[email protected]
      - name: Yarn Lock Changes
        uses: Simek/[email protected]
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          collapsibleThreshold: '25'
          failOnDowngrade: 'false'
          path: 'yarn.lock'
          updateComment: 'true'

Preview

Basic comment appearance

basic

Comment appearance when collapsibleThreshold has been reached

summary

1 Open More issues
Closed

Bump lodash from 4.16.6 to 4.17.21 in /tests/detached

Bumps lodash from 4.16.6 to 4.17.21.

Commits
  • f299b52 Bump to v4.17.21
  • c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
  • 3469357 Prevent command injection through _.template's variable option
  • ded9bc6 Bump to v4.17.20.
  • 63150ef Documentation fixes.
  • 00f0f62 test.js: Remove trailing comma.
  • 846e434 Temporarily use a custom fork of lodash-cli.
  • 5d046f3 Re-enable Travis tests on 4.17 branch.
  • aa816b3 Remove /npm-package.
  • d7fbc52 Bump to v4.17.19
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies 
opened Jul 20, 2021 by dependabot[bot] 9
Closed

[Feature Request]: compare to pull request target branch and not repository.default_branch

Issue 
opened Jul 5, 2021 by Bnaya 6
Closed

Cannot read `yarn.lock` larger than 1MB

Hi,

Thanks for creating this action - it would be useful for my CI/CD. However, our yarn.lock is 1.1MB and the action fails with the following message:

Run Simek/[email protected]
  with:
    collapsibleThreshold: 25
    path: yarn.lock
    token: ***
    updateComment: true

Error: This API returns blobs up to 1 MB in size. The requested blob is too large to fetch via the API, but you can use the Git Data API to request blobs up to 100 MB in size.: {"resource":"Blob","field":"data","code":"too_large"}
Issue 
opened Apr 30, 2021 by vknez 6
Closed

error with v0.11.0 for yarn 3 lock file

Following the latest addition for Yarn 3 support, I just tried it on my repository. However, I still get an error, see this log: image

Issue 
opened Jul 11, 2022 by ValentinH 5
Closed

Feature request: support multiple yarn.lock files

Hello and thanks for developing and maintaining this action!

I have a bit of an unusual setup, in which my repo contains several projects. Sort of like a monorepo, but without all the extra tooling. Basically, my repo is in transition from a legacy app to a modern one:

/package.json and /yarn.lock for shared devDependencies. /legacy-app/package.json and /legacy-app/yarn.lock for the legacy app. /modern-app/package.json and /modern-app/yarn.lock for the modern app.

Is there a chance to add support for either detecting multiple yarn.lock files - or - specifying them explicitly, just like the current path allows, but for more than one?

opened Jul 15, 2021 by elektronik2k5 5
Closed

Feature request: npm package-lock.json support / version

Nice project. Support for / an equivalent for npm's package-lock.json would be great. I'm not sure how possible that is

Feature Request 
opened May 26, 2021 by adam-lynch 5
Open

Upgrade babel core - without any dedup

Example for #42

opened Oct 4, 2021 by Bnaya 0
Open

Feature Request: more detailed/correct information when package become duplicated

Intro: yarn.lock file may contain several versions of the same dependency. When adding/upgrading packages using yarn, you sometimes end up not with an upgrade, but with an additional of another version of the package.

In the current state of this action, when another version is added, it still marks it as updated. I think it will be more correct to mark it as "added" with the new version, and not as update, or created additional kind of indication for that.

I will try to open a PR to emphasis that.

Worth noting: yarn-deduplicate is an important tool that dramatically helps avoiding unneeded duplications (Some duplications are needed) https://github.com/atlassian/yarn-deduplicates

opened Oct 4, 2021 by Bnaya 1
Open

`yarn-lock-changes` gets confused when a PR is on an older commit than default branch

When the default branch has a yarn.lock with more recent packages than the branch that a PR is based on, yarn-lock-changes thinks that the PR is downgrading said packages even though it doesn't actually change yarn.lock. Example:

  • @babel/core is at 7.14.8 on default branch
  • PR is based on a commit that is just before the bump of @babel/core
  • yarn-lock-changes thinks that the PR is downgrading @babel/core

See https://github.com/microsoft/react-native-test-app/pull/426.

Issue 
opened Jul 26, 2021 by tido64 1
Open

Error: Resource not accessible by integration

Hi!

I'm getting the error Error: Resource not accessible by integration when the action runs on a PR created by a GitHub integration (dependabot). This makes the CI fail, I think it'd be better to just skip the workflow if it really can't run for integrations, if it can then this is a bug report :)

> Run Simek/[email protected]
  with:
    token: ***
    collapsibleThreshold: 25
    failOnDowngrade: false
    path: yarn.lock
    updateComment: true
Error: Resource not accessible by integration

This is the PR: https://github.com/cuvent/react-native-vision-camera/pull/158

Issue 
opened Jun 1, 2021 by mrousavy 1
Open

Detect dependency depth and allow to configure max depth

Currently all dependency changes are listed in summary comment.

It will be nice to detect the depth of dependency and allow users to configure maxDepth via action inputs. This field should be optional and by default set to 0, which means that comment should include all the changes.

Enhancement 
opened Apr 26, 2021 by Simek 0

v0.11.1(Jul 11, 2022)

Changes visible for end-users:

  • [Berry] fix error while parsing locally linked packages with no dependencies (thanks to @ValentinH for the issue report)

v0.11.0(Jul 10, 2022)

Changes visible for end-users:

  • action now includes support for parsing and diffing Yarn Berry (v2 & v3) locks

    Note If you notice any problems or experience failures while using action with newer locks, please let me know and fill an issue.

v0.10.0(Jul 10, 2022)

Changes visible for end-users:

None, see notes below.

⚠️ Additional notes

This version includes the switch to new and internal Yarn lock parser, which introduction aims for better extensibility and general action performance. At least for now, the new parser outputs the same data structure as the official Yarn package, so there should not be any visible changes for the end-users.

v0.9.0(Apr 19, 2022)

Changes visible for end-users:

  • action default runner has been changed from Node 12 to Node 16

v0.8.1(Aug 22, 2021)

Changes visible for end-users:

  • in certain cases, action could report dependency incorrectly as "Downgraded" because parse and compare mechanism is sensitive to the order of entries, the problem behind this issue has been fixed in this release, if you are seeing regression in downgrade detection in your CI after this update please open the issue and attach the lock files (if possible)

v0.8.0(Aug 4, 2021)

Changes visible for end-users:

  • add basic debug logs to help users investigate the issues in their workflows, you can read more in the new section of Readme
  • improve fail messages seen in the action output
  • action now creates comparison using the correct target branch instead of default repository branch, however the default branch is still the fallback, if for some reason, the target branch no longer exist

⚠️ Additional notes

If the action fails in your repository for the Dependabot PRs please check the "Common Issues" section in the Readme, which includes the guide how to update the workflow file and why you need to do this to fix the issue.

Contents

    imsnif Convert yarn.lock to package-lock.json and vice versa
    qassandrach This action split Pull Request comment into arguments
    yoshuawuyts fd-lock - Advisory cross-platform lock on a file using a file descriptor to it
    arteria Plugin for django CMS – Add comments to the structure board and comment out plugins, visible to staff only
    sindresorhus Lock your system from the command-line
    sindresorhus Lock your Mac from the command-line
    Miserlou FriendlyID is an Elixir package that creates unique(-ish) friendly, human-readable identifiers for your objects.
    wadackel 🌲 This action provide a comment that displays the diff of the pull request in a tree format.
    siketyan 🔍 Universal Lock File Scanner for Git. (Lock + Scan = LoXcan!)
    vipzhicheng Building an automatic comment history for Logseq
    Molunerfinn :octocat:The node version of github-profile-summary with GraphQL
    sindresorhus Creates a readable stream producing cryptographically strong pseudo-random data using `crypto.randomBytes()`
    pinetum Using android phone to establish a connection with your Mac via Bluetooth low-energy (BLE), controlling Mac lock state (Lock or Unlock).
    BurtonQin Statically detect double-lock & conflicting-lock bugs on MIR
    chalda-pnuzig Lock.js is a javaScript library for generating numbers lock.
    AbdallahHemdan Chrome extension that adds a conventional comment button to Github file explorer comments, allowing you to quickly leave a structured semantic comment during your PR reviews!
    jkup Display and pull branches from GitHub pull requests
    telekom-security Human and machine readable web vulnerability testing format
    dipien Gradle Plugin to automatically upgrade your gradle project dependencies and send a GitHub pull request with the changes
    avoidwork JavaScript library to generate a human readable String describing the file size
    tipsy Tool for visualizing GitHub profiles
    Share this repo

    Related Repos


    Miscellaneous
    5.5k
    Apache OpenWhisk is an open source serverless cloud platform
    apache OpenWhisk OpenWhisk is a serverless functions platform for building cloud applications. OpenWhisk offers a rich programming model for creating serverl
     
    Miscellaneous
    11
    Replaces twitter NFT idiocracy
    4ndv HexaGone HexaGone allows you to revert or customize twitter's new hexagonal avatars. It's a collection of a several userscripts, with different clip m
     
    Miscellaneous
    6
    replaces the nft avatars on twitter with subway jared
    virginteen replace-nft-avatars a chrome extension that replaces the nft avatars on twitter with subway jared to install Download this repo (Code > Download ZIP).
     
    Miscellaneous
    5
    Smart Contract Viewer for VS Code
    MetaplasiaTeam Contract Viewer English | 中文 Contract Viewer 是一个 VS Code 扩展,他可以帮你从区块链浏览器下载合约代码,只需要一个合约地址即可下载。 目前仅支持以太坊使用 Solidity 的智能合约,后续会支持更多类型。 快速开始 配置一个 API 在 Erh
     
    Miscellaneous
    5
    Video calling using WebRTC
    mehditeymorian webrtc-video-call This project is a video calling application using WebRTC technology. It contains minimum requirements to provide a group video call.
     
    Miscellaneous
    3
    A multipurpose bot, a clan bot, a all in one bot. The one bot u need for ur server origina...
    Tomato6966 Multipurpose-discord-bot A multipurpose bot, a clan bot, a all in one bot. The one bot u need for ur server originally made as Milrato discord Bot and
     
    Miscellaneous
    334
    A template for site builders and low-code tools.
    vercel Platforms Starter Kit The all-in-one starter kit for building platforms on Vercel. Introduction · Guide · Demo · Contributing Deploy Your Own Read the
     
    Miscellaneous
    152
    A Raycast/Alfred/Spotlight alternative
    ospfranco sol A Raycast/Alfred/Spotlight alternative Don't bother trying to run this, it's WIP, right now only the basic UI is there, no logic, there many bugs/
     
    Miscellaneous
    73
    Self hosted media tracker for movies, tv shows, video games, books and audiobooks
    bonukai MediaTracker · Self hosted platform for tracking movies, tv shows, video games, books and audiobooks, highly inspired by flox Demo https://mediatracke
     
    Miscellaneous
    52
    Everytime I come across good Github profiles I index them here
    championswimmer awesome-devs Everytime I come across good Github profiles I index them here NOTE: If you are on the github repo currently, go to the website 👇 to see
     
    Miscellaneous
    49
    Minimalist template for foundry projects
    ZeframLou Foundry template This is a template for a Foundry project. Installation To install with DappTools: dapp install [user]/[repo] To install with Foundry
     
    Miscellaneous
    45
    Log in the node terminal from the browser
    patak-dev vite-plugin-terminal Log in the node terminal from the browser Open a playground online in StackBlitz Install npm i -D vite-plugin-terminal Add plugin
     
    Miscellaneous
    43
    A simple web3 app for minting NFTs
    fireship-io Web3 - Full Tutorial The demo contains a basic web3 app and smart contract for minting NFTs. See it in action in the Web3 NFT Tutorial on YouTube. Fol
     
    Miscellaneous
    28
    A three.js component library for Svelte.
    grischaerbe A three.js component library for svelte. Index What is threlte? Getting started Concepts Interactivity Viewport Awareness Reactivity Conventions Refer
     
    Miscellaneous
    26
    Wordle Svelte Clone
    tayfunerbilen Wordle Svelte Clone Son zamanlarda popüler olan WORDLE uygulamasını svelte ile yapmaya çalıştım. Bu tarz acaba yapsam nasıl yapardım uygulamarı bana ç