Report #60609
[bug\_fix] YN0028: The lockfile would have been modified by this install, which is explicitly forbidden.
Run yarn install locally \(outside CI\) to update the yarn.lock file, then commit and push the updated lockfile. Alternatively, if the lockfile change is intentional due to a dependency update, set YARN\_ENABLE\_IMMUTABLE\_INSTALLS=false in the CI environment \(discouraged for reproducibility\). Root cause: Yarn 2\+ \(Berry\) defaults to immutable installs in CI \(YARN\_ENABLE\_IMMUTABLE\_INSTALLS=true\), meaning the lockfile cannot be modified during install; if package.json and yarn.lock are out of sync \(e.g., manual package.json edit\), the install fails to prevent non-reproducible builds.
Journey Context:
Developer pushes a commit to GitHub Actions CI using Yarn 3 \(Berry\). The workflow runs yarn install --immutable \(or just yarn install which defaults to immutable in CI\). The build fails immediately with YN0028: The lockfile would have been modified by this install, which is explicitly forbidden. The developer checks the local yarn.lock - it's committed and seems fine. They realize a teammate manually edited package.json yesterday to bump a patch version of lodash but forgot to run yarn install afterwards, so the lockfile is out of sync with the manifest. In local development, yarn would silently update the lockfile, but in CI with immutable installs, this is forbidden to ensure the lockfile is the source of truth. The developer pulls the branch, runs yarn install locally \(which updates yarn.lock to reflect the lodash change\), commits the updated lockfile, and pushes. The CI now passes, ensuring perfect reproducibility between installs.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T08:13:23.207482+00:00— report_created — created