CI Error:
CI pipeline build fails with an error for frozen-lockfile:
Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.I have recently encountered the above CircleCi build error while running the pipeline for a project.
Let’s understand the root cause of this and how to solve it. It may help everyone in the global community of coding.
We often see the files likes yarn.lock or package-lock.json in our projects. Which are created automatically while installing the package dependencies of any project.
Many developers have the following questions regarding these files.
- What is a lock file?
- Why do we need a lock file?
- Do we need to commit it to the repo?
I have tried to explain all these topics in this article.
What is a lock file?
Lock files are the text files ex: (yarn.lock or package-lock.json), which are auto-generated and should be handled entirely by Yarn/npm package mangers. This lock files ensures that our used packages are consistent across installations by storing the versions of which dependencies are installed.
In other words this means we can be sure that we are working with the same dependencies across all environments.
Why do we need a lock file?
Lock files are used to lock the version of the dependencies so that when the dependencies are installed on any other server or production servers, it doesn’t show any surprises, because the versions will be picked from the lock file which has been tested already on stage servers.
So now questions will arise that will the dependencies be different if there is no lock file?
Well! this depends how we are defining the version of packages in our package.json. So if all the packages are using fixed versioning then we might no need of this lock files.
But most of the world are using the semantic versioning syntax where dependencies are prepended with either a ~ or a ^ symbol.
The version with ^ will install the latest minor version whenever installed. Similarly, a version with ~ will install the latest patch version. These features are introduced so that the developer does not need to upgrade the version manually every time.
But it has a risk of version change while deploying the project in to production. because during the development of the project the latest version of a package may different then while deploying the project to production.
So better to use a lock file. So while deploying to production servers it will use the lock file as a reference for the dependencies and will use the same versions which are used at a time of development.
Do we need to commit it to the repo?
Well!, As we have understood that the most of the dependencies version is prepended by either ~ or ^ in package.json file.
There is possibility of difference between the specified version and installed version of the package.
- Specified version: The version which is specified against the package name in the package.json file
- Installed version: The version installed in the absence of the lock file.
So If we don’t commit the lock file, it’ll install a new version on the production which is not tested and there are chances that it could break our production server or bring some problem to the code in to the production.
So it is always recommended to commit the lock file.
So that was about the lock file, now will understood that why we have received the (frozen-lockfile) below error:
Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.If you are getting this error, then you might be just updating your package.json only. and then trying to run “yarn install --frozen-lockfile“
In this case the above error shows in the console, because --fronzen-lockfile option is telling you to update your lock.file as well, which will be according to the dependency of packages in your package.json.
So if there are any changed in package.json that you are pushing to git repository which is already present in server, But you forget to change yarn.lock file and have not been git it, then the command (--forzen-lockfile). will warn you about it.
Below are the solution for this error:
Solution 1: (Recommended)
- Run “
yarn install“ to update the yarn.lock file - Push yarn.lock to the repository.
Solution 2:
Removing the ^ from the dependenciesDeleting the yarn.lock file.
I hope this helps everyone!, Feel free to comment for any suggestion or update to the article.
