Yarn: Yarn upgrade does not properly update `package.json` for dev dependencies

Created on 25 Oct 2016  路  83Comments  路  Source: yarnpkg/yarn

Do you want to request a _feature_ or report a _bug_?

_bug_

What is the current behavior?

Running yarn upgrade to upgrade a dev dependency, even with the --dev flag, will add the upgraded version of the dependency to the dependencies hash in package.json rather than devDependencies.

This might also be an issue with other dependency types (like peer), but I have not tested.

If the current behavior is a bug, please provide the steps to reproduce.

$ mkdir foo && cd foo
$ yarn init
<snip>
$ yarn add lodash@3 --dev
<snip>

$ grep lodash package.json -C 1
  "devDependencies": {
    "lodash": "3"
  }

$ yarn outdated
yarn outdated v0.16.1
Package Current Wanted Latest
lodash  3.10.1  3.10.1 4.16.4

$ yarn upgrade lodash --dev
<snip>
success Saved 1 new dependency
鈹斺攢 [email protected]

$ grep lodash package.json -C 1
  "devDependencies": {
    "lodash": "3"
  },
--
--
  "dependencies": {
    "lodash": "^4.16.4"
  }

What is the expected behavior?

yarn upgrade should update the version string of the entry in the devDependencies hash.

It would be nice if this could be done without --dev using the current location of the dependency (upgrading a dev dep would modify devDependencies, upgrading a normal dep would modify dependencies).

Please mention your node.js, yarn and operating system version.

$ node --version
v6.9.1
$ yarn --version
0.16.1
$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.12
BuildVersion:   16A323
cat-bug

Most helpful comment

same here with yarn 1.3.2

All 83 comments

I can confirm that I am seeing this happen on the exact same version of Yarn. Instead of updating the existing development dependency, it adds a new entry to "dependencies" and leaves the existing development dependency there.

Confirmed bug here as well.

Same here. standard keeps getting inserted into dependencies even though it lives in devDependencies.

I've tried both yarn upgrade standard and yarn upgrade standard -D. Same thing.

Lovely program though! Thank you for building it!

Here is the same issue, a bit before - #1262

Same here.

Same here. Every module updated via yarn update gets added to dependencies.
--dev or other options are not documented foryarn update and apparently ignored.

IMO update should either accept the same opts as install - or even better update the dependency in the category it is found in in package.json

node --version
v6.9.0
yarn --version
0.16.1

1620 fixes this so I'm going to close this and move discussion there.

Still not fixed, I'm using latest Yarn installed via Homebrew.

@kube Could you please add more details if it is still an issue? Versions for OS, Node, Yarn? A package.json that can be used to reproduce?

位 yarn --version
0.16.1

I'm on macOS 10.12.1, installed Yarn with Homebrew.

And here is the package.json on which I tried.

ts-loader and webpack-merge are outdated, upgrading them with yarn added them to dependencies, leaving devDependencies outdated.

@kube Please try on 0.17.0 that was just released today, this fix was included in that release, but not in 0.16.1.

Sure, but Homebrew still has 0.16.1

位 brew upgrade yarn
Error: yarn 0.16.1 already installed

Tried installing with NPM and just had the latest version, but seems strange to install Yarn with NPM.

Ok everything works fine when using 0.17.0, but maybe you should update Brew version.
Which is the preferred package manager or way to install Yarn ?

Brew is the preferred method of installation for OSX. It is still a manual process for getting it updated on Homebrew, so someone will have to request it being updated like they did here: https://github.com/Homebrew/homebrew-core/pull/6060

When I run yarn upgrade, it doesn't update any versions in package.json. This is quite annoying coming from NPM, in which it would automatically update the numbers.

I'm using yarn 0.17.2 from homebrew.

@milesj, this should probably be a separate issue and please provide steps to reproduce along with a package.json that we could use to reproduce.

I'll create a new issue.

On Debian Stable, yarn 0.17.4, this issue seems to be fixed at least. It upgraded lodash@3 to lodash@4 properly, so it could just be a matter of going to the latest version.

I'm trying to upgrade grunt-sass from 1.1.0 to 2.0.0 (in my __dev-dependencies__)
I execute yarn upgrade [email protected] but add grunt-sass in my __dependencies__ and not upgrade the one in __dev-dependencies__

I also tried yarn upgrade [email protected] --dev but the problem still remain

Using yarn v0.18.1 I'm still unable to force an upgrade of a sub-dependency. yarn upgrade only adds a new entry to the package.json and doesn't update the sub-dependency.

Issue still exists in 0.19.1, yarn upgrade did not update package.json.

@kittens this is not fixed by #1620

I can confirm this issue in 0.19.1 as well.

everyone--using yarn add <package-name> will update your desired package for now.

yarn upgrade isn't working for me either, v0.19.1

yarn upgrade currently only update yarn.lock, not update package.json.

Can confirm issue in v0.20.3

I have the same issue, when use yarn upgrade, it upgrade all packages, but doesn't reflect in package.json file. v0.20.3 .. really annoying. I noticed also when use "yarn install", it install latest versions of all list packages in package.json and doesn't stick with versions mentioned in it, so it is like yarn upgraded them to latest version and also doesn't reflect that in package.json but it shows in yarn.lock current versions that installed

@kittens v0.20.3 @ Windows and still doesn't update package.json - only yarn.lock file. You should reopen this.

I'm dropping yarn and switching back to npm because of this bug. No matter how I try to upgrade my packages, yarn will fetch the newest ones into the cache, and keep the old versions in my package.json and in the node_modules folder. What's the point?..

Yes! I can confirm that Yarn v0.21.3 finally updates package.json, at least yarn upgrade-interactive command.

@alexdevero i just tried yarn upgrade on 3 projects of mine: it didnot update any package.json ....

but i confirm yarn upgrade-interactive works... for the 1st updated project
next usage of yarn upgrade-interactive on other projects needing the same upgrade will fail, ie "success All of your dependencies are up to date."

i tested with updating react-scripts from 0.9.x to 0.9.3 on each of my 3 projects. yarn upgrade-interactive worked on 1st project, but then ignored the update on other 2 projects.

As of today, on version 0.21.3, yarn upgrade still behaves wrongly.

I'm using yarn add package@version --dev instead, and it upgrades the package as desired and updates package.json correctly.

Fwiw, i've been using upgrade-interactive which for some reason seems to yield better luck.

馃崚 馃崚 馃崚

It would be good to know, what is the expected behavior of yarn in this case. Can any of the yarn developers say if yarn should update package.json or not?

I just did a yarn upgrade babel-cli which was in my devDependencies and it was added as a production dependency (to dependencies)... something is still completely broken. Oh, and I use yarn v0.22.0 btw!

EDIT: Turns out, I had NODE_ENV set to "production" (due to my app being a node app) and this messes up things like "yarn install" (which will act like yarn install --production and completely skip devDependencies for example).

Maybe yarn upgrade is also affected by the node environment variable.

Just realized this:
image

I'm not an apologist or anything, I think this should be reopened... but holy balls. 720 issues is enough to drown a cruise ship full of yarn developers.

+1 issue is still present in Yarn v0.21.3 on Windows 10 Pro and Node 6.10.0.

This is not fixed. I am getting it on macOS Sierra 10.12.4. I have some devDependencies which are private git repos and one standard dependency ("jquery": "^3.1.1"). The latest version of jQuery is 3.2.1, and yarn upgrade sees that (鈹溾攢 [email protected]) but it doesn't update package.json.

yarn --version
0.21.3
node --version
v7.7.4

Reopen.

Windows - v0.21.3 fails with yarn upgrade ... when specifying a package after it will update both package.json and lock file.

Windows - v0.22 - still doesn't update package.json but does update the lock file.
worked of sorts but didn't identify all the packages that should have updated and thus broke various peer dependencies.

Thankfully I've only used it on one project and was able to revert the mess. I love the idea behind Yarn but I won't be bothering with it until this is sorted.

Windows, Yarn v0.22 - doesn't update package.json when using yarn upgrade as @LaughingBubba mentioned. The node_modules folder is updated, but package.json is not, which creates a mess in package versions.

@kittens it doesn't appear that this has been fixed.

I just saw this again in 0.23.2.

In my case it seems that if at least 1 of the dependencies upgraded in a list is NOT a devDep, then it puts all the upgrades into dependencies in package.json.

Update: Also seeing it with updating a single devDep. It gets copied into deps without being upgraded.

This is definitely not fixed. Lost an hour now on this. Wasn't yarn supposed to be better than npm?

@fab1an, for the moment use yarn add package-name@latest [--dev] to update a package. It behaves as upgrade is expected to, updating package.json correctly.

@diegovilar Thanks for the tipp, but that's too cumbersome for 25+ dev-dependencies. I just went back to using npm-check -u for upgrading them.

Still broken in Windows x64 , Yarn 0.23.2

For everyone commenting here, I suggest using yarn upgrade-interactive in the mean time. Has been working rather well here.

Still broken and if you use yarn upgrade-iteractive and don't know what version of tslint, codelyzer, typescript, etc that packages depend on like Angular or the Angular CLI you can and will cause a bunch of errors that will haunt you even after you roll it all back. Has this issue been re-posted?

@milesj NO. I'm here and I've been using ONLY upgrade-interactive with the exact same problems.

Wasn't sure if this was getting any face time since it has been closed for months so created a new issue - #3266

@fab1an That's unfortunate. I've had no issues with it updating package.json :/

@fab1an @milesj I've had upgrade-interactive not update package.json on one of our projects as well. Seemed like if you upgrade and package.json doesn't have the right number then all the interactive upgrades don't update package.json... or something... either way definitely can agree with you on it not working sometimes.

Windows 10, yarn v0.23.4 still does not update the package.json when doing yarn upgrade

Edit: Maybe this is intentional?
For example: "semantic-ui-react": "^0.68.2" - there is already a new version (0.68.3) and that version is installed and yarn.lock is changed to 0.68.3 but because of ^ in the version (>=0.68.2 <0.69.0) there is no need to update package.json to ^0.68.3?

@iamfreee I'm running Yarn v0.24.5 and running yarn upgrade doesn't update package.json, only yarn.lock. This can't (or at least shouldn't) be intentional, because first of all, the versioning in package.json is to set the actual version of the package first, and then dictate upgrade constraints, i.e. ^ or ~. Second of all, running yarn upgrade on an individual package changes the package.json so why is the behavior when upgrading all packages different? Why should there be a discrepancy in the behavior between running yarn upgrade and yarn upgrade-interactive it makes no sense?

This issue has been closed for a while so frankly it's not getting any traction. We should just open a new issue. Even if this behavior is intentional, I still disagree with it. yarn upgrade shouldn't even upgrade to the @latest tag because what if you have a different version constraint listed in your package.json? See here: https://docs.npmjs.com/cli/update#caret-dependencies

@leosco In my case npm update didn't update the package.json too and also yarn upgrade [package] didn't did the trick. That's why i think the issue is related to version constraint ^, or is the expected behavior.

@iamfreee Nope, you've gotta do npm update --save which is supposed to be Yarn's default behavior.

I posted a new issue detailing all this, see here https://github.com/yarnpkg/yarn/issues/3492 and perhaps continue the discussion there.

I would also like to echo that I've had success with yarn interactive-upgrade whereas yarn upgrade --latest has not worked for me.
Using yarn v0.24.6 with node v7.10.0.

yarn upgrade --latest works fine :+1:

~> yarn -v
1.0.0
~> yarn upgrade --help | grep "\-\-latest" | head -n 1

  --latest       list the latest version of packages, ignoring version ranges in package.json

yarn interactive-upgrade seems to be having issues now in v1.

@kaylieEB I am not certain but I think yarn interactive-upgrade behaves differently now. I just ran it in a project with lots of minor upgrades, and package.json wasn't modified, just yarn.lock. Before 1.0.2, I think package.json would have been kept in sync with the upgraded versions, but I may be wrong about this... The latest nightly build didn't change that behavior for me.

yarn upgrade --latest now works fine, but I preferred being able to interactively choose what to upgrade, and then have the package.json adjusted accordingly.

@lehni There's also yarn interactive-upgrade --latest.

@milesj : did you mean yarn upgrade-interactive --latest?
docs: https://yarnpkg.com/en/docs/cli/upgrade-interactive

Err yeah, brain fart. Thanks.

same here with yarn 1.3.2

same here with yarn 1.5.1

Broken in 1.5.1 again

broken with -

$ node --version
v9.0.0
$ yarn --version
1.5.1

same issue node v8.9.4
yarn 1.5.1

One workaround: use yarn add instead of yarn upgrade.

In short:

  • yarn upgrade: upgrade packages to latest possible range specified by pacakge.json, but do not overwrite
  • yarn add: upgrade packages to latest possible range and rewrite package.json
  • yarn update, like npm update: doesn't exist

However npm update's doc says:

As of [email protected], the npm update will change package.json to save the new version as the minimum required dependency. To get the old behavior, use npm update --no-save.

But in fact...

 y > npm -v
5.7.0
 y > cat package.json
{
  "dependencies": {
    "lodash": "^4.17.5"
  }
}
 y > npm update lodash
npm WARN y No description
npm WARN y No repository field.
npm WARN y No license field.

+ [email protected]
added 1 package from 2 contributors in 1.004s
 y > cat package.json
{
  "dependencies": {
    "lodash": "^4.17.5"
  }
} 

Don't know which one to use :( Yarn added this behavior sometime in 2017 and then broke it silently. npm claims to have it when it doesn't work either.

@kittens Please reopen this issue.

as said by @octref yarn upgrade upgrades the dependencies to their latest version but does not overwrite the package.json. yarn add <package> will update the package to it's latest version if it's already install and overwrite the package.json. Is there a reason for yarn upgrade not to overwrite the package.json? If so, then maybe that can be added as a flag to yarn upgrade.

[email protected]
[email protected]
os: MacOS

Edit

read https://github.com/yarnpkg/yarn/issues/5602#issuecomment-377528617

One workaround: use yarn add instead of yarn upgrade.

Works like a charm. Need to update these two Docs pages to use yarn add instead of yarn upgrade.

I've been using yarn upgrade-interactive --latest for quite a while now without any hiccups...

I've been using yarn upgrade-interactive --latest for quite a while now without any hiccups...

Seems a bit redundant.. Why not just use the easiest of all of these commands, yarn add? Super simple.

@guylepage3 because I get to see what upgrades are available in what versions with different color coding based on patch / minor / major version changes, pick the ones I want to upgrade, and perform multiple upgrades at once that way. Nothing redundant about that?

@lehni then the documentation on the website should reflect this and the following two pages should state to use the yarn upgrade-interactive --latest method.

@guylepage3 this conversation is leading nowhere nor does it help. If you want to suggest update of docs, it might be better to create new issue specifically for that.

Sorry if you feel that way @alexdevero. And yep already did if you look above.. https://github.com/yarnpkg/yarn/issues/1458#ref-issue-332178362

This helped me: https://www.npmjs.com/package/syncyarnlock

$ yarn upgrade-interactive && syncyarnlock

This does not work for me for yarn workspaces. Can someone take a look?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

MunifTanjim picture MunifTanjim  路  3Comments

davidmaxwaterman picture davidmaxwaterman  路  3Comments

catkins picture catkins  路  3Comments

ocolot picture ocolot  路  3Comments

FLGMwt picture FLGMwt  路  3Comments