Yarn install isn't actually frozen

[aDotInTheVoid]

Summary

In #148763, we switched to using yarn1 to install JS deps for the rustdoc-gui suite. This was motivated by wanting to ensure packages would be locked. Unfortunatly that's not the case.

Command used

./x test ./tests/rustdoc-gui/go-to-collapsed-elem.goml

Expected behaviour

yarn.lock and ./build/host/test/rustdoc-gui/yarn.lock have the same contents.

Actual behaviour

They don't.

$ md5sum yarn.lock  ./build/host/test/rustdoc-gui/yarn.lock
74649b371fd0dcb143ea171d11075918  yarn.lock
2b895cd885819933c18bea54155476c2  ./build/host/test/rustdoc-gui/yarn.lock

We use yarn install --frozen

rust/src/build_helper/src/npm.rs

Lines 19 to 22 in 23903d0

	let mut cmd = Command::new(yarn);
	cmd.arg("install");
	// make sure our `yarn.lock` file actually means something
	cmd.arg("--frozen");

But that's not the right flag, it should be --frozen-lockfile.

For some reason, by default, yarn doesn't do a frozen install. And it doesn't error on unknown flags, so it'll silently ignore the lockfile:

gh-aDotInTheVoid@dev-desktop-eu-2:~/rust0$ git checkout yarn.lock && rm -rf ./node_modules && ~/.local/bin/yarn install --this-definly-isnt-a-valid-flag
Updated 0 paths from the index
yarn install v1.22.22
warning package.json: License should be a valid SPDX license expression
warning License should be a valid SPDX license expression
[1/4] Resolving packages...
[2/4] Fetching packages...
warning bare-fs@4.5.0: The engine "bare" appears to be invalid.
warning bare-os@3.6.2: The engine "bare" appears to be invalid.
[3/4] Linking dependencies...
warning Workspaces can only be enabled in private projects.
[4/4] Building fresh packages...
success Saved lockfile.
Done in 1.94s.
gh-aDotInTheVoid@dev-desktop-eu-2:~/rust0$ git status
On branch main
Your branch is ahead of 'origin/main' by 1955 commits.
  (use "git push" to publish your local commits)

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   yarn.lock

no changes added to commit (use "git add" and/or "git commit -a")
gh-aDotInTheVoid@dev-desktop-eu-2:~/rust0$ md5sum yarn.lock  ./build/host/test/rustdoc-gui/yarn.lock
2b895cd885819933c18bea54155476c2  yarn.lock
2b895cd885819933c18bea54155476c2  ./build/host/test/rustdoc-gui/yarn.lock

If use the right flag here, yarn errors that the lockfile needs updating (for unclear reasons):

gh-aDotInTheVoid@dev-desktop-eu-2:~/rust0$ git checkout yarn.lock && rm -rf ./node_modules && ~/.local/bin/yarn install --frozen-lockfile
Updated 1 path from the index
yarn install v1.22.22
warning package.json: License should be a valid SPDX license expression
warning License should be a valid SPDX license expression
[1/4] Resolving packages...
error Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

Bootstrap configuration (bootstrap.toml)

profile = "compiler"  # Includes one of the default files in src/bootstrap/defaults
# Not using download-rustc until https://github.com/rust-lang/rust/pull/154394 merges

change-id = 153143

[build]
yarn = "/home/gh-aDotInTheVoid/.local/bin/yarn"

Operating system

Ubuntu 24.04.3 LTS

HEAD

212ef77

Additional context

$ ~/.local/bin/yarn --version
1.22.22

CC @lolbinarycat @yotamofek . The right solution is probably to update the lockfile to something installable, then to use the --frozen-lockfile flag (and maybe add a sanity check that the lockfile hasn't changed)

[lolbinarycat]

I'm guessing the error is because #151759 bumped the version in the package.json without bumping yarn.lock.