You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I started working on a branch to upgrade the typescript and @types/node dependencies.
Someone else landed a change on main to upgrade the tar dependency (security advisory).
This changed the "yarn.lock" version of tar from 6.1.11 to 6.2.1
On my branch: I merged in the latest from origin/main using git merge.
I got a Git merge conflict in "yarn.lock"
Looking in "yarn.lock", the merge conflict was on @types/node. The tar version was 6.2.1.
To resolve conflicts, I ran yarn install, which I believe is the recommended action.
After that, the "yarn.lock" version of tar was back to 6.1.11, i.e. it undid the security update.
I wish I had a repro, but our repo is private and has a lot of dependencies, so I'm open to any advice on how to narrow down the issue. For example, does Yarn debugging flags that can help with this?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
What happened, roughly:
typescriptand@types/nodedependencies.mainto upgrade thetardependency (security advisory).tarfrom 6.1.11 to 6.2.1origin/mainusinggit merge.@types/node. Thetarversion was 6.2.1.yarn install, which I believe is the recommended action.tarwas back to 6.1.11, i.e. it undid the security update.I wish I had a repro, but our repo is private and has a lot of dependencies, so I'm open to any advice on how to narrow down the issue. For example, does Yarn debugging flags that can help with this?
Beta Was this translation helpful? Give feedback.
All reactions