From b59d1a0dfeddda7341a6afeb024b8a78d558963b Mon Sep 17 00:00:00 2001
From: Lukas Eipert <leipert@gitlab.com>
Date: Tue, 22 Mar 2022 15:46:33 +0100
Subject: [PATCH] Add check whether yarn.lock needs to be updated

Under certain circumstances (bad merges?) the yarn.lock file might
contain extranous root dependencies. This is not a security risk because
the dependencies are simply not downloaded. However, it can be confusing
because a `yarn install` updates `yarn.lock` locally, while a `yarn
install --frozen-lockfile` does not fail in CI.

The last time this happened was after
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/55062
was merged.

Interestingly a `yarn check --integrity` would fail. We already utilize
this locally when running `yarn run jest`. This is also not executed in
CI, because we run `yarn run jest:ci` there. Simply adding the same
check to our `static-analysis` will solve the problem in the future.
---
 scripts/static-analysis | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/static-analysis b/scripts/static-analysis
index 9c6a948adc1c..317652eb0752 100755
--- a/scripts/static-analysis
+++ b/scripts/static-analysis
@@ -55,6 +55,7 @@ class StaticAnalysis
     Task.new(%w[yarn run internal:stylelint], 8),
     Task.new(%w[scripts/lint-conflicts.sh], 1),
     Task.new(%w[yarn run block-dependencies], 1),
+    Task.new(%w[yarn run check-dependencies], 1),
     Task.new(%w[scripts/lint-rugged], 1),
     Task.new(%w[scripts/gemfile_lock_changed.sh], 1)
   ].compact.freeze
-- 
GitLab