<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:27:35 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3368] SPIKE:  Review platform-complete update pipelines and procedures</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3368</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;yarn.lock is frequently updated on the release branches even when there are no FOLIO NPM updates.    This is less than ideal and can lead to broken builds down the line - particularly over time.   yarn.lock should be modified only when there are relevant FOLIO NPM packages that need to be updated and the scope of the modifications should ideally be limited to intended updates.  &lt;/p&gt;</description>
                <environment></environment>
        <key id="82288">FOLIO-3368</key>
            <summary>SPIKE:  Review platform-complete update pipelines and procedures</summary>
                <type id="10003" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium">Task</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10000">Won&apos;t Do</resolution>
                                                        <assignee accountid="5f9abc1eb45b2e007453f423">John Malconian</assignee>
                                                                <reporter accountid="5f9abc1eb45b2e007453f423">John Malconian</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Tue, 14 Dec 2021 19:30:34 +0000</created>
                <updated>Wed, 10 May 2023 11:27:22 +0000</updated>
                            <resolved>Mon, 25 Jul 2022 14:33:51 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>6</watches>
                                                                <comments>
                                                            <comment id="197011" author="5ee89462f7aa140abd82d11d" created="Tue, 21 Dec 2021 12:59:20 +0000"  >&lt;p&gt;Modules indicate for each dependency whether they allow patch version or minor version upgrades.&lt;/p&gt;

&lt;p&gt;That way security and functional fixes automatically get included.&lt;/p&gt;

&lt;p&gt;Disadvantage is that a patch version or minor version upgrade might be not as compatible as intended.&lt;/p&gt;

&lt;p&gt;Is it difficult to revert such an upgrade?&lt;/p&gt;</comment>
                                                            <comment id="197015" author="557058:b5c00130-8516-454c-acae-335db2b62fd8" created="Thu, 17 Feb 2022 20:35:58 +0000"  >&lt;p&gt;I do question if this issue is necessary as there are legitimate updates made to 3rd-party dependencies in a formal way which does result in an update to `yarn.lock`. See &lt;a href=&quot;https://github.com/folio-org/platform-complete/pull/1799&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/platform-complete/pull/1799&lt;/a&gt;&#160;for an example.&lt;/p&gt;</comment>
                                                            <comment id="197018" author="5ee89462f7aa140abd82d11d" created="Sat, 19 Feb 2022 16:33:15 +0000"  >&lt;p&gt;Running yarn install works exactly as desired and required:&lt;/p&gt;
&lt;h5&gt;&lt;a name=&quot;%7B%7B%7D%7D&quot;&gt;&lt;/a&gt;{{}}&lt;/h5&gt;
&lt;div class=&quot;panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;panelHeader&quot; style=&quot;border-bottom-width: 1px;&quot;&gt;&lt;b&gt;&lt;a href=&quot;https://classic.yarnpkg.com/en/docs/cli/install#toc-yarn-install&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://classic.yarnpkg.com/en/docs/cli/install#toc-yarn-install&lt;/a&gt;&lt;/b&gt;&lt;/div&gt;&lt;div class=&quot;panelContent&quot;&gt;
&lt;p&gt;&#160;&lt;/p&gt;
&lt;h5&gt;&lt;a name=&quot;%7B%7Byarninstall%7D%7Dhttps%3A%2F%2Fclassic.yarnpkg.com%2Fen%2Fdocs%2Fcli%2Finstall%23tocyarninstall&quot;&gt;&lt;/a&gt;&lt;tt&gt;yarn install&lt;/tt&gt; &lt;a href=&quot;https://classic.yarnpkg.com/en/docs/cli/install#toc-yarn-install&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://classic.yarnpkg.com/en/docs/cli/install#toc-yarn-install&lt;/a&gt;&lt;/h5&gt;

&lt;p&gt;Install all the dependencies listed within &lt;tt&gt;package.json&lt;/tt&gt; in the local &lt;tt&gt;node_modules&lt;/tt&gt; folder.&lt;/p&gt;

&lt;p&gt;The &lt;tt&gt;yarn.lock&lt;/tt&gt; file is utilized as follows:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;If &lt;tt&gt;yarn.lock&lt;/tt&gt; is present and is enough to satisfy all the dependencies listed in &lt;tt&gt;package.json&lt;/tt&gt;, the exact versions recorded in &lt;tt&gt;yarn.lock&lt;/tt&gt; are installed, and &lt;tt&gt;yarn.lock&lt;/tt&gt; will be unchanged. Yarn will not check for newer versions.&lt;/li&gt;
	&lt;li&gt;If &lt;tt&gt;yarn.lock&lt;/tt&gt; is absent, or is &lt;em&gt;not&lt;/em&gt; enough to satisfy all the dependencies listed in &lt;tt&gt;package.json&lt;/tt&gt; (for example, if you manually add a dependency to &lt;tt&gt;package.json&lt;/tt&gt;), Yarn looks for the newest versions available that satisfy the constraints in &lt;tt&gt;package.json&lt;/tt&gt;. The results are written to &lt;tt&gt;yarn.lock&lt;/tt&gt;.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&#160;&lt;/p&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;If one change to yarn.lock is needed then all dependencies are bumped if the version spec set by the developers allow it. This is fine, installs bug fixes and security fixes, and is stored in the git repository so that you can always check out a specific commit for a reproducible build.&lt;/p&gt;</comment>
                                                            <comment id="197020" author="5ee89462f7aa140abd82d11d" created="Tue, 22 Feb 2022 19:11:30 +0000"  >&lt;p&gt;What others say:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://classic.yarnpkg.com/blog/2016/11/24/lockfiles-for-all/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://classic.yarnpkg.com/blog/2016/11/24/lockfiles-for-all/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://11sigma.com/blog/2021/09/03/yarn-lock-how-it-works-and-what-you-risk-without-maintaining-yarn-dependencies-deep-dive/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://11sigma.com/blog/2021/09/03/yarn-lock-how-it-works-and-what-you-risk-without-maintaining-yarn-dependencies-deep-dive/&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="197023" author="5cf6c546b87c300f36eb7b9a" created="Thu, 24 Feb 2022 16:15:18 +0000"  >&lt;p&gt;The Security Team has reviewed this.  We aren&apos;t going to stop you from doing this spike, but our preference at this time is to keep things as they currently stand.  Please share your spike findings with us prior to making any decisions&lt;/p&gt;</comment>
                                                            <comment id="197025" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Thu, 24 Feb 2022 16:30:12 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f9abc1eb45b2e007453f423&quot; class=&quot;user-hover&quot; rel=&quot;5f9abc1eb45b2e007453f423&quot; data-account-id=&quot;5f9abc1eb45b2e007453f423&quot; accountid=&quot;5f9abc1eb45b2e007453f423&quot; rel=&quot;noreferrer&quot;&gt;John Malconian&lt;/a&gt; What&apos;s the configuration for these updates? Is it patch-releases only?&lt;/p&gt;</comment>
                                                            <comment id="197028" author="5f9abc1eb45b2e007453f423" created="Fri, 25 Feb 2022 02:31:11 +0000"  >&lt;p&gt;I think there may be a misunderstanding of the issue that prompted this Jira issue.    My feeling is that yarn.lock should only be updated when there is a specific NPM update to be made.   Currently,  the CI pipeline that is run for PRs in this repo,  ignores the yarn.lock file and generates an updated yarn.lock even when the PR contains a change that is not even related to an NPM update.  This is the issue I&apos;d like to review and address.&lt;/p&gt;</comment>
                                                            <comment id="197030" author="557058:b5c00130-8516-454c-acae-335db2b62fd8" created="Tue, 1 Mar 2022 20:12:09 +0000"  >&lt;p&gt;Sounds like we need to make sure the &lt;tt&gt;--frozen-lockfile&lt;/tt&gt;&#160;flag get passed when running &lt;tt&gt;yarn install&lt;/tt&gt; in CI builds. See &lt;a href=&quot;https://classic.yarnpkg.com/lang/en/docs/cli/install/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://classic.yarnpkg.com/lang/en/docs/cli/install/&lt;/a&gt;&#160;(4th paragraph):&#160;&lt;/p&gt;
&lt;div class=&quot;preformatted panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;preformattedContent panelContent&quot;&gt;
&lt;pre&gt;If you need reproducible dependencies, which is usually the case with the continuous integration systems, you should pass&#160;--frozen-lockfile&#160;flag.&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</comment>
                                                            <comment id="197032" author="5f9abc1eb45b2e007453f423" created="Thu, 7 Apr 2022 14:06:40 +0000"  >&lt;p&gt;Yes something like that.   Possibly need to add some logic to the pipeline that only updates yarn.lock when PR includes NPM-related updates.   &lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10155"><![CDATA[FOLIO DevOps]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzx1ap:u</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1718">DevOps Sprint 160</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 21 Dec 2021 12:59:20 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>