[Bug?]: Yarn checksums are dependent on user-configurable compression ratio

[ashkitten]

Self-service

• I'd be willing to implement a fix

Describe the bug

yarn.lock checksums are calculated based on the hash of the zip files in the cache directory, NOT their contents. This causes issues where if a user has a global .yarnrc.yml with compressionLevel set to something other than the default 0, yarn will always attempt to update the lockfile with all new hashes. This is especially bad in a hypothetical scenario where a developer has compressionLevel set globally and commits their lockfile, then someone tries to use the lockfile with --immutable (say, in a typical distro package build script).

To reproduce

1. yarn config set compressionLevel 0
2. yarn install
3. yarn config set compressionLevel 1
4. yarn install --immutable # fails!

Environment

System:
    OS: Linux 6.6 NixOS 24.05 (Uakari) 24.05 (Uakari)
    CPU: (12) x64 AMD Ryzen 5 5600X 6-Core Processor
  Binaries:
    Node: 20.10.0 - /tmp/xfs-94698436/node
    Yarn: 4.0.1 - /tmp/xfs-94698436/yarn
  npmPackages:
    jest: ^29.5.0 => 29.7.0

Additional context

[rohit-gohri]

Related - #5939

@ashkitten I added a reproduction in my old issue if you want to use it here. Though my issue was only about missing documentation about the change.