Should I commit the yarn.lock file and what is it for?

Question

Yarn creates a yarn.lock file after you perform a yarn install.

Should this be committed to the repository or ignored? What is it for?

Answer 1

You should:

1. add it to the repository and commit it
2. use yarn install --frozen-lockfile and NOT yarn install as a default both locally and on CI build servers.

(I opened a ticket on yarn's issue tracker to make a case to make frozen-lockfile default behavior, see #4147).

---

Beware to NOT set the frozen-lockfile flag in the .yarnrc file as that would prevent you from being able to sync the package.json and yarn.lock file. See the related yarn issue on github

---

yarn install may mutate your yarn.lock unexpectedly, making yarn claims of repeatable builds null and void. You should only use yarn install to initialize a yarn.lock and to update it.

Also, esp. in larger teams, you may have a lot of noise around changes in the yarn lock only because a developer was setting up their local project.

For further information, read upon my answer about npm's package-lock.json as that applies here as well.

---

This was also recently made clear in the docs for yarn install:

yarn install

Install all the dependencies listed within package.json in the local node_modules folder.

The yarn.lock file is utilized as follows:

• If yarn.lock is present and is enough to satisfy all the dependencies listed in package.json, the exact versions recorded in yarn.lock are installed, and yarn.lock will be unchanged. Yarn will not check for newer versions.
• If yarn.lock is absent, or is not enough to satisfy all the dependencies listed in package.json (for example, if you manually add a dependency to package.json), Yarn looks for the newest versions available that satisfy the constraints in package.json. The results are written to yarn.lock.

If you want to ensure yarn.lock is not updated, use --frozen-lockfile.