Yarn support and change to “npm install” behavior

We’re happy to announce our first Yarn support and the change to the behavior for the npm packages installation. The change hasn’t been released yet but will be published on August 20, 2019.

The change will affect the following analysis tools which are installable from npm:

In particular, if you use ESLint or stylelint and don’t have a package.json file in your repository, your analysis may not work properly, so it would be better if you read this article and check your settings in advance.

Now, let’s look at each change in detail.

Yarn support

We will release the support of Yarn which has been requested for a long time. When Sider finds a yarn.lock file in your repository, it will run the yarn install command instead of the npm install command.

The support will make it possible for analyses on Sider to be similar to analyses on your development environments because Sider will analyze your code with a version written in yarn.lock instead of a version written in package.json. As a result, you will see fewer analysis failures on Sider and will be able to debug any analysis failures on Sider more easily.

For example, suppose you have the following package.json and yarn.lock files in your repository:


  "devDependencies": {
    "eslint": "^5.10.0"


  version "5.10.0"

Before the Yarn support, eslint@5.16.0 (the latest version in ESLint 5) is used for analyses. On the other hand, once the support has been implemented, eslint@5.10.0 written in yarn.lock will be used for analyses.

Using “npm ci"

Like the Yarn support, when Sider finds a package-lock.json file in your repository, it will run the npm ci command instead of the npm install command. Also in the case, a version written in the package-lock.json (like yarn.lock) will be installed, so you can expect analyses closer to your development environments.

Also, npm ci is faster than npm install, so it can be expected to reduce analyzing time (for details about npm ci, please see the npm documentation).

By the way, it may be a rare case, but please be aware that Sider raises an error if yarn.lock and package-lock.json are present at the same time (Yarn also gives a warning in that case).

Behavior change of npm packages installation

This release will change the default behavior of the npm packages installation. In other words, the behavior in the case that the npm_install option (which is controllable in sider.yml) is omitted, will change.

The default value of the npm_install option:

  • Before: false
  • After: true

If summarizing the default value changes and the Yarn/npm ci is supported, the Sider behavior after the changes will be as follows:

  1. Check if package.json exists. If not present, Sider uses the default version of the tools.
  2. If package.json and yarn.lock exist, Sider runs yarn install.
  3. If package.json and package-lock.json exist, Sider runs npm ci.
  4. If package.json exists but none of yarn.lock and package-lock.json exist, Sider runs npm install.
  5. Checks if the tool is installed in the node_modules directory.
  6. If installed, Sider uses the installed version.
  7. If not installed (for any reason), Sider uses the default version.

If a tool isn’t installed for any reason, Sider will output warning(s) which you can see on your analysis result page and log page, so it might be better if you review your settings (e.g. package.json) referring to the warning(s).

The npm_install default behavior doesn’t change even if you specify npm_install: true.

Also, if you specify npm_install: false, Sider does the same action as before installing nothing and using the default version. If you want to avoid any installation, it would be good to specify this npm_install: false option explicitly in your sider.yml.

Tool version constraints

Sider will add constraints for versions of user-specified tools installed by npm or Yarn. Here, a “constraint” means a version range which Sider will support. This aims to guarantee that Sider’s analyses will work properly. If these constraints are violated, analyzing fails.

The minimum versions of each tool are determined based on the statistics of Sider analyses, so it may not be a problem in most cases. But if you want to use a version which is out of the constraint, please contact our support.

Below are the constraints of each tool:

  • ESLint: 3.19.0 ≦ x < 7.0.0
  • TSLint: 5.0.0 ≦ x < 6.0.0
  • CoffeeLint: 1.16.0 ≦ x < 3.0.0
  • stylelint: 8.3.0 ≦ x < 11.0.0

In every one of the above tools, their latest versions are available. The constrains will be reflected in the Sider documentation after the change is published.

Deprecation of automatic installation from tool configuration files

Sider now tries to automatically detect and install tools’ plugins from their configuration files, but this feature will be discontinued in the new release. The target tools are as followings:

  • ESLint
  • stylelint

For example, when the following settings are in your ESLint configuration file (e.g. .eslintrc.json), Sider tries to automatically install eslint-plugin-react.

  "plugins": ["react"]

However, this behavior is hard to implement because of the necessity to analyze configuration files of various formats (e.g. JSON, YAML, JavaScript, etc.), and it also makes it difficult to debug in users’ environments. As a result, we decided to deprecate it.

If your analyses depend on the auto-detect-and-install feature, you can substitute it by adding your plugins to the package.json, as in the following example. Please check the documentation of each plugin for details.

  "devDependencies": {
    "eslint": "^5.15.1",
    "eslint-plugin-react": "^7.14.3"


The content of the change is as above. This change aims to make your experience better, and we take care not to fail your existing analyses as much as possible. However, if your analyses fail after the release, we would appreciate your feedback and support.

Again, the expected release date will be August 20, 2019.

It would be so helpful if you would give us feedback. Please feel free to contact us from the Sider chat if you have any concerns or questions.

Aki Asahara

CEO of Sider. Aki joined Fixstars in 2008 and served major clients such as the US Airforce, MIT, USC, Toyota, and Hitachi High-technologies. After his successful tenure, he was appointed CEO of US operations in 2012. He was appointed CEO of Sider in 2019. He holds a Ph.D. in Astrophysics from Kyoto University and is a Certified Scrum Master.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.