Knowing how many duplicated packages is useful in PRs seperate from having them just listed as updated. (So maintainers can immediately ask contributors to run a yarn dedupe for example).

Following the latest addition for Yarn 3 support, I just tried it on my repository.
However, I still get an error, see this log:

Hi,

Thanks for creating this action - it would be useful for my CI/CD. However, our yarn.lock is 1.1MB and the action fails with the following message:

Run Simek/yarn-lock-changes@main
  with:
    collapsibleThreshold: 25
    path: yarn.lock
    token: ***
    updateComment: true

Error: This API returns blobs up to 1 MB in size. The requested blob is too large to fetch via the API, but you can use the Git Data API to request blobs up to 100 MB in size.: {"resource":"Blob","field":"data","code":"too_large"}

Seems it got confused with this diff and incorrectly added date-fns as a downgrade.

When the default branch has a yarn.lock with more recent packages than the branch that a PR is based on, yarn-lock-changes thinks that the PR is downgrading said packages even though it doesn't actually change yarn.lock. Example:

• @babel/core is at 7.14.8 on default branch
• PR is based on a commit that is just before the bump of @babel/core
• yarn-lock-changes thinks that the PR is downgrading @babel/core

See microsoft/react-native-test-app#426.

Currently all dependency changes are listed in summary comment.

It will be nice to detect the depth of dependency and allow users to configure maxDepth via action inputs. This field should be optional and by default set to 0, which means that comment should include all the changes.

Nice project. Support for / an equivalent for npm's package-lock.json would be great. I'm not sure how possible that is

The format of yarn.lock changed in a more recent version of Yarn:

Error: Unknown token: { line: 3, col: 2, type: 'INVALID', value: undefined } 3:2 in lockfile

It would be great the new format is also supported. Especially because Yarn 3 is pretty promising.

You can find the full build log here: https://github.com/microsoft/react-native-test-app/runs/3182759815?check_suite_focus=true

Hi there!

I followed the instructions and running into the following error message:

I've made sure yarn.lock is available, at the root of the repository. It doesn't matter if the file is changes or not in the PR. Here is an example of the file changes in the PR:

Any guidance how to debug or resolve?

Hello and thanks for developing and maintaining this action!

I have a bit of an unusual setup, in which my repo contains several projects. Sort of like a monorepo, but without all the extra tooling. Basically, my repo is in transition from a legacy app to a modern one:

/package.json and /yarn.lock for shared devDependencies.
/legacy-app/package.json and /legacy-app/yarn.lock for the legacy app.
/modern-app/package.json and /modern-app/yarn.lock for the modern app.

Is there a chance to add support for either detecting multiple yarn.lock files - or - specifying them explicitly, just like the current path allows, but for more than one?

Hi!

I'm getting the error Error: Resource not accessible by integration when the action runs on a PR created by a GitHub integration (dependabot). This makes the CI fail, I think it'd be better to just skip the workflow if it really can't run for integrations, if it can then this is a bug report :)

> Run Simek/yarn-lock-changes@main
  with:
    token: ***
    collapsibleThreshold: 25
    failOnDowngrade: false
    path: yarn.lock
    updateComment: true
Error: Resource not accessible by integration

This is the PR: mrousavy/react-native-vision-camera#158

Currently, no matter if the dependency was updated or downgraded, the reported status in the summary will be set to:

• ⬆️ UPDATED

It will be nice to differentiate between those two states:

• ⬆️ UPDATED
• ⬇️ DOWNGRADED

Intro:
yarn.lock file may contain several versions of the same dependency.
When adding/upgrading packages using yarn, you sometimes end up not with an upgrade, but with an additional of another version of the package.

In the current state of this action, when another version is added, it still marks it as updated.
I think it will be more correct to mark it as "added" with the new version, and not as update, or created additional kind of indication for that.

I will try to open a PR to emphasis that.

Worth noting: yarn-deduplicate is an important tool that dramatically helps avoiding unneeded duplications (Some duplications are needed) https://github.com/atlassian/yarn-deduplicates

Currently the table listing all the dependencies lists the dependencencies in alphabetical order based on the package name. This is fine for small diffs, but for large diffs it becomes harder to see which packages got removed/downgraded etc., at a glance.

It could be an option in the workflow step to first group the packages by status then alphabetically sort them within those groups in the table, i.e shown in the table as:

• Added (a-z)
• Updated (a-z)
• Downgraded (a-z)
• Removed (a-z)

Problem

Using the example in the README.md within private repositories causes the checkout job to crash with the following error:

remote: Repository not found.
Error: fatal: repository 'https://github.com/<your_user>/<your_repo>/' not found

This problem is already tracked here.

Solution

In order to use this action within private repositories, i also needed to add write permissions for id-token and read permissions for contents to the job, as described here, so it looks like something like this:

...

yarn_lock_changes:
    runs-on: ubuntu-latest
    permissions:
        pull-requests: write
        id-token: write
        contents: read

...