View my tickets
Submit a ticket Try Snyk for free

Articles in this section

See more
  1. Support Portal | Snyk
  2. Using Snyk
  3. Fixing Vulnerabilities

Failed to update the yarn.lock, please update manually before merging.

  • Updated

Problem

When opening a Fix Pull Request from Snyk on a Yarn project you may sometimes receive the following Warning in the body of your PR:

 

⚠️ Warning
Failed to update the yarn.lock, please update manually before merging.

 

Discussion

There could be a couple of different issues when Snyk fails to update the yarn.lock file when creating a PR.

Yarn Workspaces.

For Yarn Workspaces, only the package.json file is updated for Snyk Fix PRs. The yarn.lock file is not updated. See the Snyk User Docs for more detail:  https://docs.snyk.io/scan-application-code/supported-languages-and-frameworks/javascript#getting-started-with-snyk-for-javascript-across-environments

Private Dependencies

The most common root cause of this warning is the project has some private dependencies that Snyk does not have access to and is thus failing to re-lock the yarn.lock file.

In these cases, it will be necessary to re-lock the yarn.lock file manually from a system that has access to the private dependencies.

If you have a private package repository configured in Snyk, ensure that it is connected in the Javascript language settings. https://docs.snyk.io/integrations/package-repository-integrations/ 

Out-of-Sync Package.json and Yarn.lock files

Another common issue is that the two files i.e package.json and the yarn.lock files are out of sync. For this, you could simply run yarn install and that should resolve the issue.