yarn-lock-changes

Changes visible for end-users:

• drop Node 14 and Node 16 workflow support

  As stated in the previous release, from this major version upward, the Node 14 and Node 16 workflow support has been dropped, due to upgrade of @actions/github package.

[!note]
For Node <18 support, you can change the action version tag in your workflow to v0.11 , to use the latest action prior this release:

- name: Yarn Lock Changes
  uses: Simek/[email protected]

Changes visible for end-users:

• fix error while parsing lock files with optional name key in entries (thanks to @nathanforce for the issue report and initial fix)

[!NOTE]
In the next major action release the support for Node 14 and 16 will be dropped because of the latest @actions/github release which drops the support for those engines due to Octokit packages update.

If you are running the action using different runner than the default one, it might be a good time to make sure that your workflow uses at least Node 18. Otherwise, the future Node version switch should be seamless for you.

Changes visible for end-users:

• add groupByType boolean config option to group row in the comment table by the change type, the following order will be used:

  • Added
  • Updated
  • Downgraded
  • Removed

  The dependencies within the groups will still be ordered alphabetically.

Changes visible for end-users:

• [Berry] fix error while parsing locally linked packages with no dependencies (thanks to @ValentinH for the issue report)

Changes visible for end-users:

• action now includes support for parsing and diffing Yarn Berry (v2 & v3) locks

  Note If you notice any problems or experience failures while using action with newer locks, please let me know and fill an issue.

Changes visible for end-users:

None, see notes below.

⚠️ Additional notes

This version includes the switch to new and internal Yarn lock parser, which introduction aims for better extensibility and general action performance. At least for now, the new parser outputs the same data structure as the official Yarn package, so there should not be any visible changes for the end-users.

Changes visible for end-users:

• action default runner has been changed from Node 12 to Node 16

Changes visible for end-users:

• in certain cases, action could report dependency incorrectly as "Downgraded" because parse and compare mechanism is sensitive to the order of entries, the problem behind this issue has been fixed in this release, if you are seeing regression in downgrade detection in your CI after this update please open the issue and attach the lock files (if possible)

Changes visible for end-users:

• add basic debug logs to help users investigate the issues in their workflows, you can read more in the new section of Readme
• improve fail messages seen in the action output
• action now creates comparison using the correct target branch instead of default repository branch, however the default branch is still the fallback, if for some reason, the target branch no longer exist

⚠️ Additional notes

If the action fails in your repository for the Dependabot PRs please check the "Common Issues" section in the Readme, which includes the guide how to update the workflow file and why you need to do this to fix the issue.

Changes visible for end-users:

• if path input is set to the custom value, the bot comment will now include the note about lock file location, this should help to differentiate the comments when multiple locks have been changeg within the same Pull Request
• (💥) Boolean inputs are now validated by build-in @actions/core package helper method getBooleanInput, which only supports the reduced set of YAML Boolean values, so this might be considered as breaking change for the small portion of users who were using yes/no, on/off or y/n input values (however, the error message will be quite descriptive, so it should be easy to migrate the workflow setup)

Changes visible for end-users:

• new failOnDowngrade optional input, when set to true action will fail when dependency downgrade has been detected, but will still post the detected changes comment
• SVG image labels URLs in bot comment has been shortened (via https://git.io/) to reduce the risk of reaching GitHub comment content charter limit

Changes visible for end-users:

• support for large yarn.lock files (size above 1 MB)
• if generated comment will exceed GitHub comment character limit, image statuses will be replaced with plain text (to reduce the number of characters)

Changes visible for end-users:

• if updateComment input is set to 'true', bot should remove the comment, if changes to the yarn.lock in PR has been reverted
• better validation of action inputs, especially booleans, (not only 'true', but also other values like 'yes' or 'on' will be resolved to true)

Changes visible for end-users:

• lock changes table can be collapsed or expanded by users
• new collapsibleThreshold input which will determine if table should be expanded or collapsed by default
• new summary table will appear on the top of comment if count of changes is greater than collapsibleThreshold

Changes visible for end-users:

• strategy for fetching base lock file has been changed, which enables action to run in private repositories
• bot now updates the comment by default, instead of creating new one on each commit,
• updateComment optional input, set it to "false" to enforce creating new comment
• new, updated and more verbose error messages

Changes visible for end-users:

• switch to SVG status labels for readability and summary clarity
• support detection of "downgraded" dependency, earlier all mismatched versions were reported as "updated" (#7)

Changes visible for end-users:

• do no post empty comment if there were no changes to the Yarn lock.

Changes visible for end-users:

• removed debug console.log from action

Yarn Lock Changes first release!