chore(deps): update yarn to >=1.22.17

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
yarn	>=1.17.3 -> >=1.22.22

---

Release Notes

yarnpkg/yarn (yarn)

v1.22.22

Compare Source

[!WARNING]
This release is missing a couple of artifacts (the .msi/.rpm/.deb/.asc files); we're working on fixing this.

• Fixes a punycode warning.

• Fixes a hoisting issue when transitive dependencies themselves listed aliases as dependencies.

v1.22.21

Compare Source

[!WARNING]
This release is missing a couple of artifacts (the .msi/.rpm/.deb/.asc files); we're working on fixing this.

• Fixes an issue in the v1.22.20 when calling Yarn from a project subfolder, outside of a Corepack context.

• Added a SKIP_YARN_COREPACK_CHECK environment variable to skip the Corepack check.

v1.22.20

Compare Source

• Important: Punycode is now embed within the bundle, as it has been deprecated by Node.js and will be removed in a future version.

• A message will be displayed when Yarn 1.22 notices that the local project has a package.json file referencing a non-1.x Yarn release via the packageManager field. The message will explain that the project is intended to be used with Corepack.

• The yarn-error.log files won't be generated anymore, as we don't process non-critical 1.x bug reports (we however process all bugs reported on https://github.com/yarnpkg/berry; we just released the 4.0.2 release there).

• The yarn set version x.y.z command will now install the exact x.y.z version (prior to this change it used to first install the latest version, and only in a second step would it downgrade to x.y.z; this was causing issues when we bump the minimal Node.js version we support, as running yarn set version 3.6.4 wouldn't work on Node 16).

• Prevents crashes when reading from an empty .yarnrc.yml file.

v1.22.19

Compare Source

• Adds compatibility with WebAuthn on the npm registry

v1.22.18

Compare Source

Node 17.7.0 had a regression in url.resolve which broke Yarn, causing network errors. This release fixes that, although the regression also got fixed on the Node side starting from 17.7.1, so as long as you keep your Node up-to-date it'll be fine.

v1.22.17

Compare Source

Strangely this released disappeared from GitHub, re-adding it.

v1.22.16

Compare Source

v1.22.15

Compare Source

• Fixes an issue on Windows where relative scripts would fail to execute

v1.22.14

Compare Source

• Fixes false positives that would happen on non-win32 platforms ("Potentially dangerous call to ...")

v1.22.13

Compare Source

• Fixes a potential security issue where packages could run scripts even with --ignore-builds set (Windows only)
• Fixes yarn init -y2 w/ Corepack
• yarn set version stable (and canary) will now defer to the stable & canary for upgrading the project

v1.22.12

Compare Source

Bogus release (published the wrong folder)

v1.22.11

Compare Source

This version fixes a problem where Yarn wasn't forwarding SIGTERM to the binary spawned via yarnPath. It also makes yarn init -2 compatible with Corepack. The behaviour of yarn init (without -2) doesn't change.

Remember that Yarn 1.x won't receive further functional improvements. We recommend you to switch to the recently-released 3.0, and to ping us on Discord if you find issues when migrating (also check our Migration Guide).

v1.22.10

• Tweak the preinstall check to not cause errors when Node is installed as root (as a downside, it won't run at all on Windows, which should be an acceptable tradeoff): https://github.com/yarnpkg/yarn/issues/8358

v1.22.7

This release doesn't change anything and was caused by a publish issue.

v1.22.6

• Running yarn init with the -2 flag won't print the set version output anymore.

• A new preinstall check will ensure that npm install -g yarn works even under Corepack. It doesn't have any effect on other setups.

v1.22.5

Compare Source

• Headers won't be printed when calling yarn init with the -2 flag

  Maël Nison

• Files with the .cjs extension will be spawned by yarnPath using `execPath

  #​8144 - bgotink

• Generates local yarn verions as .cjs files when calling yarn set version

  #​8145 - bgotink

• Sorts files when running yarn pack to produce identical layout on Windows and Unix systems

  #​8142 - Merceyz

v1.22.4

Compare Source

Those versions didn't contain any changes and were just triggered by our infra while working on the tests.

v1.22.1

Compare Source

This version fixes a problem where Yarn wasn't forwarding SIGTERM to the binary spawned via yarnPath. It also makes yarn init -2 compatible with Corepack. The behaviour of yarn init (without -2) doesn't change.

Remember that Yarn 1.x won't receive further functional improvements. We recommend you to switch to the recently-released 3.0, and to ping us on Discord if you find issues when migrating (also check our Migration Guide).

v1.22.0

Compare Source

• Allows some dots in binary names again

  #​7811 - Valery Bugakov

• Better error handling on yarn set version

  #​7848 - Nick Olinger

• Passes arguments following -- when running a workspace script (yarn workspace pkg run command -- arg)

  #​7776 - Jeff Valore

• Fixes an issue where the archive paths were incorrectly sanitized

  #​7831 - Maël Nison

• Implements yarn init -2

  #​7862 - Maël Nison

• Implements yarn set version <version> as an alias for policies set-version

  #​7862 - Maël Nison

v1.21.1

Compare Source

v1.21.0

Compare Source

v1.19.2

Compare Source

• Folders like .cache won't be pruned from the node_modules after each install.

  #​7699 - Maël Nison

• Correctly installs workspace child dependencies when workspace child not symlinked to root.

  #​7289 - Daniel Tschinder

• Makes running scripts with Plug'n Play possible on node 13.

  #​7650 - Sander Verweij

• Change run command to check cwd/node_modules/.bin for commands. Fixes run in workspaces.

  #​7151 - Jeff Valore

v1.19.1

Compare Source

Important: This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the Offline Mirror feature. After that everything will be back to normal.

• Computes the --modules-folder & friends paths based on the cwd.

  #​7607 - mbpreble

• Stores the sha512 in the cache even when not provided by the server.

  #​7591 - Maël Nison / #​7595 - Michael

• Uses the right Node binary when using yarn-path.

  #​7592 - Maël Nison

v1.19.0

Compare Source

Important: This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the Offline Mirror feature. After that everything will be back to normal.

• Fixes a potential vulnerability regarding how the build artifacts are stored

  Reported by ChALkeR, fixed by Maël Nison

v1.18.0

Compare Source

• Suggests using the Yarn 2 development trunk on PnP-enabled projects

  #​7512 - Maël Nison

• Preserves linked packages when calling yarn create

  #​7543 - Nick McCurdy

• Fixes the offline mirror filenames when using Verdaccio

  #​7499 - xv2

• Fixes using link:. to refer to the package folder

  #​7512 - Maël Nison

• Runs the prepare lifecycle of git dependencies even if NODE_ENV is set to production.

  #​7398 - John Firebaugh

• Fixes the postversion lifecycle method not being called when using --no-git-tag-version.

  #​7154 - Hampus Tågerud

• Ignores potentially large vscode keys in package.json to avoid E2BIG errors.

  #​7419 - Eric Amodio

• Enforces https for the Yarn and npm registries.

  #​7393 - Maël Nison

• Adds support for reading yarnPath from v2-produced .yarnrc.yml files.

  #​7350 - Maël Nison

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cypress-app-bot]

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

[jennifer-shehane]

Yarn 1.17.3 was released Jul 12, 2019. Seems we could require the more recent release for contributors.

I've been seeing discrepancies in the yarn.lock file and just wondering if it's because contributors are using different versions of yarn? Not sure.

Seems like CI is already running 1.22.x shown here: https://app.circleci.com/pipelines/github/cypress-io/cypress/63466/workflows/5f07e1b7-9932-4aed-ab89-d9a4ad48a4e0/jobs/2629357

We had some CI runs running as low as 1.22.17. Rather than looking into the discrepency, we'll just put that as minimum

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[cypress]

cypress    Run #56593

Run Properties:   Failed #56593  •  4512d3cfd5: how low can you goooooo

Project	cypress
Branch Review	renovate/yarn-1.x
Run status	Failed #56593
Run duration	23m 35s
Commit	4512d3cfd5: how low can you goooooo
Committer	Jennifer Shehane
View all properties for this run ↗︎

---

Test results
Failures	1
Flaky	7
Pending	1328
Skipped	0
Passing	29311
View all changes introduced in this branch ↗︎

UI Coverage  43.4%
Untested elements	218
Tested elements	171

Accessibility  91.22%
Failed rules	5 critical   10 serious   2 moderate   2 minor
Failed elements	945

---

Tests for review

  cypress/e2e/commands/querying/querying.cy.js • 1 failed test • 5x-driver-webkit

View Output

Test		Artifacts
... > throws when alias property isnt a digit or `all`		</td> </tr></table>   e2e/origin/config_env.cy.ts • 1 flaky test • 5x-driver-firefox View Output Test Artifacts cy.origin- Cypress.config() > serializable > overwrites different values in secondary if one exists in the primary </td> </tr></table>   commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-electron View Output Test Artifacts ... > stops waiting when an fetch request is canceled Test Replay   commands/querying/querying.cy.js • 1 flaky test • 5x-driver-electron View Output Test Artifacts ... > throws when alias property is `0` Test Replay   commands/querying/querying.cy.js • 1 flaky test • 5x-driver-chrome:beta View Output Test Artifacts ... > throws when alias property is `0` Test Replay   commands/net_stubbing.cy.ts • 3 flaky tests • 5x-driver-webkit View Output Test Artifacts network stubbing > intercepting request > can delay and throttle a StaticResponse </td> </tr> <tr> <td colspan="2"> <a href="https://cloud.cypress.io/projects/ypt4pf/runs/56593/overview/a846a5ad-285c-4ed6-ae2c-aa0bcf83ed4c?reviewViewBy=FLAKY&utm_source=github&utm_medium=failed&utm_campaign=view%20test"> ... > with `resourceType` > can match a proxied image request by resourceType </a> </td> <td> </td> </tr> <tr> <td colspan="2"> <a href="https://cloud.cypress.io/projects/ypt4pf/runs/56593/overview/2d4f9d9f-8c7e-413c-a1fe-a9a1c968997c?reviewViewBy=FLAKY&utm_source=github&utm_medium=failed&utm_campaign=view%20test"> ... > stops waiting when an xhr request is canceled </a> </td> <td> </td> </tr></table>

[MikeMcC399]

@jennifer-shehane

I think you may be right about the yarn.lock mismatches being caused by different versions of Yarn being used. There have been some fixes implemented in Yarn in this area.

Do you know what version of Yarn is being used by Renovate? The Renovate behind-the-scenes work does not show up in GitHub. It only shows the results.

[jennifer-shehane]

@MikeMcC399 I dunno. Apparently a bunch of our own tests run on different versions of Yarn. I mean, yarn doesn't really recommend doing it globally like this anymore, but I don't think we're ready to update everything.

[MikeMcC399]

• See Renovate PRs may include yarn.lock with mismatched lockfile #30051 It seems the yarn.lock mismatch is not caused by differing Yarn v1 versions, but rather through a missing step yarn-deduplicate --strategy highest which Renovate apparently does not carry out, but which Cypress includes in its postinstall script.
• From looking at the renovate code, it seems to use yarn@^1.22.18
  https://github.com/renovatebot/renovate/blob/1408dd16040aebe81a23c0dcda8cfd7434360e99/lib/modules/manager/npm/extract/yarn.ts#L105