Dependency: Upgrade Yarn to v4

[JReinhold]

Fixes #24552

What I did

Upgrade our internal usage of Yarn to v4.

References:

• https://yarnpkg.com/blog/release/4.0
• https://github.com/yarnpkg/berry/releases/tag/%40yarnpkg%2Fcli%2F4.0.0
• 🚀 Breaking changes for Yarn 4 yarnpkg/berry#3591

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

1. Checkout the branch
2. Run git clean -xdf (beware, will delete all uncommitted files)
3. Run yarn start which should take you through the whole tasks pipeline and see that it works
4. git clean -xdf again
5. yarn task --task=compile --no-link to see that it also compiles in --no-link mode
6. cd scripts
7. yarn release:version --exact 0.0.0-canary-test-yarn.0
8. yarn release:publish --tag canary to see that it correctly attempts to publish. It should output a long list of YN0033: No authentication configured for request errors because you don't have the npm token set, which is the correct output.

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This pull request has been released as version 0.0.0-pr-24565-sha-2d556c14. Install it by pinning all your Storybook dependencies to that version.

More information

Published version	0.0.0-pr-24565-sha-2d556c14
Triggered by	@JReinhold
Repository	storybookjs/storybook
Branch	upgrade-yarn-4
Commit	2d556c14
Datetime	Tue Oct 24 11:57:48 UTC 2023 (1698148668)
Workflow run	6626437775

To request a new release of this pull request, mention the @storybookjs/core team.

core team members can create a new canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=24565

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
@types/pretty-hrtime	1.0.1	None	+0	3.6 kB	types
@types/detect-port	1.3.3	None	+0	3.84 kB	types
yaml	2.3.2	None	+0	661 kB	eemeli
@types/ejs	3.1.3	None	+0	17.3 kB	types
@types/uuid	9.0.4	None	+0	7.14 kB	types
@types/qs	6.9.8	None	+0	7.07 kB	types
giget	1.1.2	network	+0	34.7 kB	pi0
@types/cross-spawn	6.0.3	None	+4	15.7 MB	types
vue	2.7.14	None	+4	7.18 MB	yyx990803
tocbot	4.21.1	None	+0	776 kB	tscanlin
ts-loader	9.4.4	None	+16	17.4 MB	johnnyreilly
@types/babel__preset-env	7.9.3	None	+0	7.57 kB	types
@types/util-deprecate	1.0.1...1.0.0	None	+0/-0	2.69 kB	types
@types/webpack-virtual-modules	0.1.3...0.1.2	None	+6/-10	4.1 MB	types
@types/npmlog	4.1.5...4.1.4	None	+0/-0	5.25 kB	types
@types/ip	1.1.2...1.1.1	None	+1/-0	3.93 MB	types
@types/jest-image-snapshot	6.2.2...6.2.1	None	+6/-2	4.04 MB	types
@types/babel__plugin-transform-runtime	7.9.4...7.9.3	None	+0/-0	4.32 kB	types
@types/prompts	2.4.7...2.4.5	None	+1/-0	3.93 MB	types
@types/mock-fs	4.13.3...4.13.2	None	+1/-0	3.93 MB	types
@types/picomatch	2.3.2...2.3.1	None	+0/-0	18.4 kB	types
@angular/cli	16.2.7...16.2.4	None	+7/-8	3.17 MB	google-wombot
@types/webpack-env	1.18.3...1.18.2	None	+0/-0	17.3 kB	types
@types/js-yaml	4.0.8...4.0.6	None	+0/-0	9.65 kB	types
@types/ws	8.5.8...8.5.6	None	+1/-0	3.94 MB	types
@types/jscodeshift	0.11.9...0.11.7	None	+0/-0	38.4 kB	types
@types/jest-specific-snapshot	0.5.8...0.5.7	None	+4/-0	108 kB	types
@angular-devkit/build-angular	16.2.7...16.2.4	None	+63/-82	28.6 MB	google-wombot
@angular/compiler-cli	16.2.10...16.2.7	None	+5/-4	14.3 MB	google-wombot
@angular/platform-browser-dynamic	16.2.10...16.2.7	None	+4/-9	17.8 MB	google-wombot
@angular/platform-browser	16.2.10...16.2.7	None	+0/-2	780 kB	google-wombot
vue-template-compiler	2.7.15...2.7.14	None	+0/-0	583 kB	yyx990803
@angular/forms	16.2.10...16.2.7	None	+1/-4	2.69 MB	google-wombot
@angular/compiler	16.2.10...16.2.7	None	+0/-2	8.09 MB	google-wombot
@types/webpack-hot-middleware	2.25.8...2.25.7	None	+9/-4	8.59 MB	types
@axe-core/puppeteer	4.8.1...4.7.3	None	+2/-2	3.98 MB	npmdeque
@preact/preset-vite	2.6.0...2.5.0	None	+14/-0	8.88 MB	jdecroock
svelte	4.2.2...4.2.1	None	+18/-0	6.4 MB	svelte-admin
@storybook/icons	1.2.1...1.1.7	None	+0/-0	1.26 MB	ndelangen
@rollup/pluginutils	5.0.5...5.0.4	None	+2/-0	89.1 kB	shellscape
@angular-devkit/core	16.2.7...16.2.4	None	+1/-0	718 kB	google-wombot

🚮 Removed packages: @angular/core@16.2.10, @types/color-convert@2.0.2, @types/compression@1.7.4, @types/lodash@4.14.199, @types/tmp@0.2.5, vue-loader@15.11.1

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
New author	npm-pick-manifest	8.0.2	New Author: npm-cli-ops Previous Author: gar	@storybook/addon-storyshots@0.0.0-use.local, @storybook/angular@0.0.0-use.local, lerna@6.6.2 via code/package.json @storybook/angular@7.5.1 via code/addons/storyshots-core/package.json @angular/cli@16.2.4 via code/frameworks/angular/package.json
New author	flat-cache	3.1.0	New Author: jaredwray Previous Author: royriojas	@storybook/eslint-config-storybook@3.1.2, @storybook/linter-config@3.1.2, @storybook/nextjs@0.0.0-use.local, @storybook/preset-create-react-app@0.0.0-use.local, @storybook/preset-react-webpack@0.0.0-use.local, @storybook/react-webpack5@0.0.0-use.local, @typescript-eslint/eslint-plugin@5.62.0, @typescript-eslint/experimental-utils@5.62.0, @typescript-eslint/parser@5.62.0, babel-eslint@10.1.0, eslint@8.50.0, eslint-import-resolver-typescript@3.6.1, eslint-plugin-import@2.29.0, eslint-plugin-react@7.33.2, eslint-plugin-storybook@0.6.15 via code/package.json @storybook/react-docgen-typescript-plugin@1.0.6--canary.9.0c3f3b7.0, react-scripts@5.0.1 via code/presets/create-react-app/package.json @storybook/react-docgen-typescript-plugin@1.0.6--canary.9.0c3f3b7.0 via code/presets/react-webpack/package.json

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm-pick-manifest@8.0.2
• @SocketSecurity ignore flat-cache@3.1.0

[JReinhold]

CI would consistently silently bail on yarn install, this fixed that. We were likely running out of memory.

See "Install" step here silently stopping at "Fetch" step, causing the command to fail completely later.

https://app.circleci.com/pipelines/github/storybookjs/storybook/61775/workflows/4e8ba21c-8f6e-4d2b-b08d-46a6b0c764ab/jobs/588725

[JReinhold]

autodeleted by Yarn 4, included by default in core now

[JReinhold]

this was auto set by Yarn 4. I believe this was the default in Yarn 3 but not Yarn 4, so I didn't want to change it.

[valentinpalkovic]

@JReinhold We should definitely run a snapshot release on this branch to see whether the workspace:* versions get properly replaced.

[yannbf]

LGTM! I'd recommend doing what Valentin said, other than that it looks good.

[JReinhold]

@valentinpalkovic @yannbf I've released a canary and tested it out in Mealdrop, it works fine.