When we update or change npm dependencies we are forced to run

kotlinUpgradeYarnLock

before assembling again. If not, assembling fails. I wonder if this task could be setup to run automatically if dependencies changes are found. This would remove the additional step compared to K/JVM. It's not a big deal, just a DevEx improvement imo.

This is a feature, not a bug. The point is to make sure that dependencies don’t change unexpectedly. If you have Gradle dependency locking enabled, the behavior is the same.

Set

yarnLockAutoReplace = true

. See https://kotlinlang.org/docs/js-project-setup.html#reporting-that-yarn-lock-has-been-updated

Thanks! Didn't know those Yarn options were already there. Nice!

There was a significant incident about 2 years ago, where a JavaScript package that Kotlin uses was updated with a malicious new version. Because NPM package versions weren’t pinned with a lock file at the time, any Kotlin/JS developer that happened to simply compile their application during a window of time would automatically download the new dependency version, run system install scripts, and had their computer infected with crypto mining spyware.

I think majory of users simply run

kotlinUpgradeYarnLock assemble

without even thinking about it. So probably the end result wouldn't change. I check the dependencies I'm going to include obviously.

You do you. I just want to make sure you’re able to make an informed decision.

For prototyping I just disable the lockfile (locally) but keeping enabled on remote/main branch.

@hfhbd thanks! That's also a valid option