|
| 1 | +--- |
| 2 | +description: Use this rule if you are looking to upgrade a dependency in the Sentry JavaScript SDKs |
| 3 | +globs: |
| 4 | +alwaysApply: false |
| 5 | +--- |
| 6 | +# Yarn v1 Dependency Upgrades |
| 7 | + |
| 8 | +## Upgrade Process |
| 9 | + |
| 10 | +### Dependency Analysis |
| 11 | + |
| 12 | +```bash |
| 13 | +# Check dependency tree |
| 14 | +yarn list --depth=0 |
| 15 | + |
| 16 | +# Find why package is installed |
| 17 | +yarn why [package-name] |
| 18 | +``` |
| 19 | + |
| 20 | +### Root Workspace vs. Package Dependencies |
| 21 | + |
| 22 | +**CRITICAL**: Understand the difference between dependency types: |
| 23 | + |
| 24 | +- **Root Workspace dependencies**: Shared dev tools, build tools, testing frameworks |
| 25 | +- **Package dependencies**: Package-specific runtime and dev dependencies |
| 26 | +- Always check if dependency should be in root workspace or package level |
| 27 | + |
| 28 | +### Upgrade Dependencies |
| 29 | + |
| 30 | +**MANDATORY**: Only ever upgrade a single package at a time. |
| 31 | + |
| 32 | +**CRITICAL RULE**: If a dependency is not defined in `package.json` anywhere, the upgrade must be run in the root workspace as the `yarn.lock` file is contained there. |
| 33 | + |
| 34 | +```bash |
| 35 | +# Upgrade specific package to latest compatible version |
| 36 | +npx yarn-update-dependency@latest [package-name] |
| 37 | +``` |
| 38 | + |
| 39 | +Avoid upgrading top-level dependencies (defined in `package.json`), especially if they are used for tests. If you are going to upgrade them, ask the user before proceeding. |
| 40 | + |
| 41 | +**REQUIREMENT**: If a `package.json` file is updated, make sure it has a new line at the end. |
| 42 | + |
| 43 | +#### CRITICAL: OpenTelemetry Dependency Constraint |
| 44 | + |
| 45 | +**STOP UPGRADE IMMEDIATELY** if upgrading any dependency with `opentelemetry` in the name and the new version or any of its dependencies uses forbidden OpenTelemetry versions. |
| 46 | + |
| 47 | +**FORBIDDEN VERSION PATTERNS:** |
| 48 | +- `2.x.x` versions (e.g., `2.0.0`, `2.1.0`) |
| 49 | +- `0.2xx.x` versions (e.g., `0.200.0`, `0.201.0`) |
| 50 | + |
| 51 | +When upgrading OpenTelemetry dependencies: |
| 52 | +1. Check the dependency's `package.json` after upgrade |
| 53 | +2. Verify the package itself doesn't use forbidden version patterns |
| 54 | +3. Verify none of its dependencies use `@opentelemetry/*` packages with forbidden version patterns |
| 55 | +4. **Example**: `@opentelemetry/instrumentation-pg@0.52.0` is forbidden because it bumped to core `2.0.0` and instrumentation `0.200.0` |
| 56 | +5. If forbidden OpenTelemetry versions are detected, **ABORT the upgrade** and notify the user that this upgrade cannot proceed due to OpenTelemetry v2+ compatibility constraints |
| 57 | + |
| 58 | +#### CRITICAL: E2E Test Dependencies |
| 59 | + |
| 60 | +**DO NOT UPGRADE** the major version of dependencies in test applications where the test name explicitly mentions a dependency version. |
| 61 | + |
| 62 | +**RULE**: For `dev-packages/e2e-tests/test-applications/*`, if the test directory name mentions a specific version (e.g., `nestjs-8`), do not upgrade that dependency beyond the mentioned major version. |
| 63 | + |
| 64 | +**Example**: Do not upgrade the nestjs version of `dev-packages/e2e-tests/test-applications/nestjs-8` to nestjs 9 or above because the test name mentions nestjs 8. |
| 65 | + |
| 66 | +## Safety Protocols |
| 67 | + |
| 68 | +### Pre-Upgrade Checklist |
| 69 | + |
| 70 | +**COMPLETE ALL STEPS** before proceeding with any upgrade: |
| 71 | + |
| 72 | +1. **Backup**: Ensure clean git state or create backup branch |
| 73 | +2. **CI Status**: Verify all tests are passing |
| 74 | +3. **Lockfile works**: Confirm `yarn.lock` is in a good state (no merge conflicts) |
| 75 | +4. **OpenTelemetry Check**: For OpenTelemetry dependencies, verify no forbidden version patterns (`2.x.x` or `0.2xx.x`) will be introduced |
| 76 | + |
| 77 | +### Post-Upgrade Verification |
| 78 | + |
| 79 | +```bash |
| 80 | +# rebuild everything |
| 81 | +yarn install |
| 82 | + |
| 83 | +# Build the project |
| 84 | +yarn build:dev |
| 85 | + |
| 86 | +# Make sure dependencies are deduplicated |
| 87 | +yarn dedupe-deps:fix |
| 88 | + |
| 89 | +# Fix any linting issues |
| 90 | +yarn fix |
| 91 | + |
| 92 | +# Check circular dependencies |
| 93 | +yarn circularDepCheck |
| 94 | +``` |
| 95 | + |
| 96 | +## Version Management |
| 97 | + |
| 98 | +### Pinning Strategies |
| 99 | + |
| 100 | +- **Exact versions** (`1.2.3`): Use for critical dependencies |
| 101 | +- **Caret versions** (`^1.2.3`): Allow minor updates only |
| 102 | +- **Latest tag**: Avoid as much as possible other than in certain testing and development scenarios |
| 103 | + |
| 104 | +## Troubleshooting |
| 105 | + |
| 106 | +- **Yarn Version**: Run `yarn --version` - must be yarn v1 (not v2/v3/v4) |
| 107 | +- **Lockfile Issues**: Verify yarn.lock exists and is properly maintained. Fix merge conflicts by running `yarn install` |
| 108 | + |
| 109 | +## Best Practices |
| 110 | + |
| 111 | +### Security Audits |
| 112 | + |
| 113 | +```bash |
| 114 | +# Check for security vulnerabilities |
| 115 | +yarn audit |
| 116 | + |
| 117 | +# Fix automatically fixable vulnerabilities |
| 118 | +yarn audit fix |
| 119 | + |
| 120 | +# Install security patches only |
| 121 | +yarn upgrade --security-only |
| 122 | +``` |
| 123 | + |
| 124 | +### Check for Outdated Dependencies |
| 125 | + |
| 126 | +```bash |
| 127 | +# Check all outdated dependencies |
| 128 | +yarn outdated |
| 129 | + |
| 130 | +# Check specific package |
| 131 | +yarn outdated [package-name] |
| 132 | + |
| 133 | +# Check dependencies in specific workspace |
| 134 | +yarn workspace [workspace-name] outdated |
| 135 | +``` |
| 136 | + |
| 137 | +### Using yarn info for Dependency Inspection |
| 138 | + |
| 139 | +Use `yarn info` to inspect package dependencies before and after upgrades: |
| 140 | + |
| 141 | +```bash |
| 142 | +# Check current version and dependencies |
| 143 | +yarn info <package-name> |
| 144 | + |
| 145 | +# Check specific version dependencies |
| 146 | +yarn info <package-name>@<version> |
| 147 | + |
| 148 | +# Check dependencies field specifically |
| 149 | +yarn info <package-name>@<version> dependencies |
| 150 | + |
| 151 | +# Check all available versions |
| 152 | +yarn info <package-name> versions |
| 153 | +``` |
| 154 | + |
| 155 | +The `yarn info` command provides detailed dependency information without requiring installation, making it particularly useful for: |
| 156 | +- Verifying OpenTelemetry packages don't introduce forbidden version patterns (`2.x.x` or `0.2xx.x`) |
| 157 | +- Checking what dependencies a package will bring in before upgrading |
| 158 | +- Understanding package version history and compatibility |
| 159 | + |
| 160 | +### Documentation |
| 161 | + |
| 162 | +- Update README or code comments if dependency change affects usage of the SDK or its integrations |
| 163 | +- Notify team of significant changes |
0 commit comments