front: add a 'packageManager' version

[woshilapin]

When following the official procedure to install yarn,
corepack yells about not finding a packageManager defined in package.json,
and then choose one to add it.

! Corepack is about to download https://registry.yarnpkg.com/yarn/-/yarn-1.22.22.tgz
? Do you want to continue? [Y/n] Y

! The local project doesn't define a 'packageManager' field. Corepack will now add one referencing yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e.
! For more details about this field, consult the documentation at https://nodejs.org/api/packages.html#packagemanager

⚠️ It is to be noted that yarn documents installation through corepack which itself is still experimental.

[emersion]

Does dependabot support upgrading this field?

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 37.06%. Comparing base (a902ca2) to head (38994ee).
Report is 3 commits behind head on dev.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff              @@
##                dev    #8828      +/-   ##
============================================
- Coverage     37.07%   37.06%   -0.01%     
  Complexity     2212     2212              
============================================
  Files          1255     1255              
  Lines        114111   114111              
  Branches       3189     3189              
============================================
- Hits          42307    42297      -10     
- Misses        69907    69917      +10     
  Partials       1897     1897              

Flag	Coverage Δ
core	74.79% <ø> (ø)
editoast	72.39% <ø> (-0.04%)	⬇️
front	14.94% <ø> (ø)
gateway	2.20% <ø> (ø)
osrdyne	2.71% <ø> (ø)
railjson_generator	87.49% <ø> (ø)
tests	86.37% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[woshilapin]

Does dependabot support upgrading this field?

Not yet

[kmer2016]

Thank you for this PR !

[emersion]

I wonder if we should just live with the warning instead of hardcoding a version which will quickly become outdated.

[emersion]

By the way, an outdated package manager is not great because that program is responsible for doing a bunch of network requests, unpacking and writing files to disk. A vulnerability in there would have pretty unfortunate consequences, especially if the tool is pinned to a vulnerable version.

[woshilapin]

Note that this is not just a warning, it also modify the package.json without asking. Even if we could turn it off, that would mean that each time you use yarn, it goes through the corepack shim and would display the warning. Not sure how to go from there... It seems both solution are particularly bad.

[woshilapin]

OK, found a way to silence it in the documentation. Just need a COREPACK_ENABLE_AUTO_PIN=0 that I set up with direnv. Works for me. I'll close the PR.

[emersion]

Possible workarounds:

• export COREPACK_ENABLE_AUTO_PIN=0
• npm install -g yarn instead of using corepack

EDIT: ah, seems like you've found the first one already :P