Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements "Stable resolution". In a few words, it changes the resolution algorithm so that we always pick the highest resolution possible that's also the lowest from any range in the tree. For example, if a package Foo has versions 1.0, 1.1, 1.2, and if a project has dependencies X and Y that respectively require Foo@^1.0 and Foo@^1.1, then the only version Yarn will install will be 1.1 (not 1.0, because 1.1 already fulfills ^1.0, and not 1.2, because it's not the lowest version supported by any range).
This change would prevent malicious packages from spreading across the ecosystem, by requiring popular JS tools to "vet" them first by introducing them into their own dependencies.
I have an article about this being written, will update when finished.
edit: It unfortunately seems this isn't compatible with the ecosystem (see the E2E tests at the end, it's about 50/50, with many packages breaking because they rely on old dependency ranges that they aren't actually compatible with), so it's a bit blocked at the moment 馃槙