yarn.lock as generated by Dependabot is not optimal

[StephanBijzitter]

This is part of a pull request created by Dependabot, and while this installs perfectly fine, I would expect `doctrine@^2.0.0, doctrine@^2.0.2:` to change into `doctrine@^2.0.0, doctrine@^2.1.0:`, so that only 2.1.0 is installed, instead of the current 2.0.2 and 2.1.0

doctrine is a dependency of eslint, that updated from 4.15.0 to 4.16.0

[greysteil]

Thanks for the feedback @StephanBijzitter.

I'm not sure there's an easy way to fix this on Dependabot's side - we lean heavily on Yarn's internals for lockfile generation, and if Yarn doesn't behave perfectly (as it hasn't above) then there's not a lot we can do.

There's an issue open on the yarn repo, but it hasn't had as much love as I'd like. There's also yarn-tools that attempts to fix this, but I'm not 100% sure I trust it...

[StephanBijzitter]

Alright, that issue indeed seems to be exactly what I saw in one of our(/dependabot's) PRs. Hopefully they'll be able to resolve it soon. As for this issue, I'll leave it to you to close it if wanted, I've got my answer :-)

[greysteil]

👍 . I'm going to close but add a personal TODO to look into creating a yarn-tools-like PR into Yarn. The core team there are brilliant, but they've got a lot on their plate!

[scinos]

@greysteil happy to help with that PR

[greysteil]

FYI, this made it into Dependabot a few weeks ago - we now de-dup the yarn.lock for the dependency we're updating, based on some custom logic (inspired by yarn-tools). 🎉