ReactNative: How yarn.lock works

The purpose of this article is to explain the function of yarn.lock file as well as how to update dependecy with yarn. A lot of people see it as a nuisance to have additional files added to their project and it often appears in the code review file every time a dependecy is changed (sometimes the change file can be quite large). Although a bit annoying, it is an important file to have it work as a team or work alone with circle CI

How lock file works

When using yarn to manage npm dependecies, a yarn.lock file will automatically be created. Also whenever a dependecy is added or removed or modified with yarn CLI (for example, running the yarn install command), the yarn.lock file will automatically be updated.

Note: If the dependency is changed by rice in the pack.json file, the yarn will update in yarn.lock the next time CLI yarn is used to install or update the dependencies. So when making changes in package.json, make sure you run the yarn install command to update the yarn.lock file

The purpose of the lock file is to lock the version of the dependencies specified in the package.json file. That means in the yarn.lock file, there is an identifier for every dependecy and sub dependecy when using the project. The idea is that the identifier is a block in yarn.lock that accurately describes the version with dependecy installed. It will have the following format

The code identifier above in the yarn.lock file describes in detail that the react version of 16.8.3 has been installed, and it provides for the registration URL where the package can be installed, and an integrity hash function (to Make sure the dependecy file is not changed) and list sub dependecies (dependecy in dependecy). Looking deeper into the yarn.lock file, we will see that it identifies both sub dependencies. For example this is another identifier for object-assgin sub-dependecy

So what is the benefit of locking down the dependecy version? If the dependency version is not locked, then at all times the dependencies installed by yarn install, the dependencies taken may be different, If one of the dependencies has a new version and that version is within range of package.json, the latest dependency will be installed

Note: If it is complicated to remember and difficult to grasp how version range works. There is an online calculation that gives us a visual view of packages for range version

To make an example or get a dependency installed in package.json

Assuming the current version of lodash is 3.9.1, after that the installer has installed dependecies with yarn install, they will get the 3.9.1 version installed.

Now suppose loadash has a new version of 3.9.2 and someone else runs run install for package.json shown above. He or she will receive version 3.9.2 of lodash because the version range specified in the package version file is ^ 3.9.1. Now there are 2 different versions of lodash installed for 3.9.1 and 3.9.2, even though all the code in the repo is the same. You can see this can cause problems as the same app can run differently on 2 separate computers

Now let’s review the above version, but yarn.lock is used to lock down dependency versions, when someone installs the dependency, they will end up following the entry with the yarn.lock file.

Now, assuming that the yarn.lock file is commited in source control, someone could pull the code on and run yarn install. Regardless of the current version of lodash, the installed version is still 3.9.1 because it has been specified in the yarn.lock file.

How to upgrade dependencies

Now attach the following example to a dependencies in package.json

Remember that the yarn.lock file will lock the lodash version in the example here as 3.9.1

Now, someone will be confused about why we specify the version scope in package.json if the installed version is always the same even when a new version is released. For example, the scope of ^ 3.9.1 means that it can update versions greater than 3.9.1 and smaller than 4.0.0. Of course, if the version of 3.9.1 is released, 3.9.2 version will not be installed if the version in the lock file is still 3.9.1

This is where the yarn upgrade command is used. yarn upgrade allows updating all dependencies in package.json to the highest version within the version listed in package.json. Assuming the lock file being written is 3.9.1, the current version has been realese as 3.10.3, when running yarn upgrade it will install version 3.10.3 and yarn.lock file will be changed to 3.10.3.

Updrading dependency to lastest version

To upgrade to the latest version, ignore the version scope in the package.json file, we just need to run the yarn upgrade –lastest command, assuming the lodash version 4.17.14 is released, it will be installed on the machine, this time the file lock will also be updated to 4.17.14

yarn will also automatically update the package.json file to

Interactive upgrade

For a repository with many dependencies, it can be helpful to see the list of available dependencies that can be upgraded. Running yarn upgrade-interactive –lastest will show a list of all dependencies that can be updated. Dependencies in the list can be selected and updated to the highest version. Below you can see when we run the yarn upgrade-interactive –lastest This is quite useful, we can see details of each upgradable dependency and warn about changes

REFER: https://www.robertcooper.me/how-yarn-lock-files-work-and-upgrading-dependencies