How to skip the 'fetch' step

[jackmtpt]

We have quite a strict corporate policy on fetching new package versions - some packages can be upgraded to the latest version but many require explicit approval before we're able to fetch them from our internal mirror package repo. The repo responds with a 403 for any non-approved package, which is a real problem for projects using yarn because the installation aborts at the first download failure.

When trying to update from one version of large third-party packages to another, there can be hundreds of dependencies that need to be updated, each of which currently requires us to seek approval before we can proceed to getting the next error. Essentially what happens is:

• package.json is bumped to use a new version of whatever package
• yarn install tries to get all the new dependencies, fails on new version of dependency A
• We spend some time getting that approved
• yarn install then fails on dependency B
• Repeat until your security team hates you because you had to request everything one at a time.

How can I generate a list or a new yarn.lock file containing the resolved versions of ALL dependencies, without actually trying to fetch any of them from the repository? I want to know what all the new versions are going to be so that I can send one list to the security team for approval.

yarn install --mode update-lockfile (with and without --refresh-lockfile) does not work because it tries to fetch the .tgz file for each package, which is what's blocked.

Using yarn 4.6.0

[clemyan]

There is no built-in way to do that, but it can be done with a plugin:

• copy project.originalPackages
• change the dependency descriptor in workspace.manifest.dependencies
• call project.resolveEverything
• compare the project.originalPackage with the stored copy