I'm pretty new to working in teams and proper CI/CD workflows, and also new to yarn. I'm trying to figure out how to use the yarn.lock file properly. This yarn documentation says:
If you need reproducible dependencies, which is usually the case with the continuous integration systems, you should pass --frozen-lockfile flag.
From what I understand, this means that yarn will install packages based on the package.json file without modifying the yarn.lock file. And there might be modifications because
New versions of packages are published all the time and since package.json specifies version ranges you need to lock them down to a single version. (yarn blog)
My question is, do you then necessarily want the yarn.lock file to never change as long as package.json doesn't change? Or should it still change over time to use newer versions of packages? Are we as developers supposed to explicitly test the new versions whenever we allow yarn.lock to change?
Another problem is when I want to make a PR where I add a new package. Now, using the --freeze-lockfile flag throws this error:
error Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.
But if I just do a normal yarn install, the entire yarn.lock file changes resulting in a merge conflict of 14k conflicting lines. Is that okay? Is that the proper way to add new packages?
