Problem
When opening a Fix Pull Request from Snyk on a Yarn project you may sometimes receive the following Warning in the body of your PR:
⚠️ Warning
Failed to update the yarn.lock, please update manually before merging.
Discussion
There could be a couple of different issues when Snyk fails to update the yarn.lock
file when creating a PR.
Yarn Workspaces.
For Yarn Workspaces, only the package.json
file is updated for Snyk Fix PRs. The yarn.lock
file is not updated. See the Snyk User Docs for more detail: https://docs.snyk.io/scan-application-code/supported-languages-and-frameworks/javascript#getting-started-with-snyk-for-javascript-across-environments
Private Dependencies
The most common root cause of this warning is the project has some private dependencies that Snyk does not have access to and is thus failing to re-lock the yarn.lock
file.
In these cases, it will be necessary to re-lock the yarn.lock
file manually from a system that has access to the private dependencies.
If you have a private package repository configured in Snyk, ensure that it is connected in the Javascript language settings. https://docs.snyk.io/integrations/package-repository-integrations/
Out-of-Sync Package.json and Yarn.lock files
Another common issue is that the two files i.e package.json
and the yarn.lock
files are out of sync. For this, you could simply run yarn install
and that should resolve the issue.