Do you want to request a feature or report a bug?
Bug 馃悳 馃槺 Yarn selects different versions than NPM with the same version specifier.
What is the current behavior?
aes-decrypter
is on npm: { latest: '1.0.3', beta: '1.0.0-0', next: '1.1.0' }
video.js
is on npm: { latest: '5.11.9', next: '5.12.6', alpha: '5.9.0-2' }
videojs-contrib-hls
depends on aes-decrypter@^1.0.3'
and video.js@^5.10.1
videojs-contrib-hls@^3.6.7
inpackage.json
:{
"name": "yarn-next-bug-test",
"version": "1.0.0",
"main": "index.js",
"license": "MIT",
"dependencies": {
"videojs-contrib-hls": "^3.6.7"
}
}
yarn
The packages installed and added to yarn.lock are:
What is the expected behavior?
What NPM does with this same package.json:
Please mention your node.js, yarn and operating system version.
node.js v7.0.0
both yarn v0.16.0 and v0.19.0-0 (master at f0d875a67a06d8b2405be177d0c43820442d802b) have the bug
both npm v3.10.9 and v4.0.2 do the expected thing
macOS Sierra 10.12.2 Beta (16C32f)
I ran into the same thing. This seems to go wrong in NpmResolve#findVersionInRegistryResponse
, where range
never is a key of dist-tags
for transitive dependencies but simply a semver range, and config.resolveConstraint
then simply returns the highest one.
(A good example of disaster striking is the horribly broken canary release mechanism of lerna, that produces semver pre-release versions that end with the short git commit hash. I guess real programmers always count downwards, and start from 'f'.)
I'm also having this problem with the typscript package.
Running npm view typescript 'dist-tags'
Gives this output:
{ latest: '2.0.10',
next: '2.2.0-dev.20161129',
beta: '2.0.0',
rc: '2.1.1',
insiders: '2.0.6-insiders.20161017' }
Running npm install
installs the 2.0.10 version
After running yarn i have this entry in yarn.lock
typescript@^2.0.9:
version "2.1.1"
resolved "https://registry.yarnpkg.com/typescript/-/typescript-2.1.1.tgz#41c2b64472f529331b2055c0424862b44ce58d42"
You could argue who is doing wrong. I think that yarn follows semver and looks for latest valid release which in my cases is 2.1.1.
Npm seems to use the info from dist-tags and typescript should have used the version "2.1.1-rc".
Encountered this when installing nightmare
via yarn - nightmare depends on electron@^1.4.4
which resolves to 1.6.0
which is under the beta
dist-tag on npm. Highest latest version is 1.4.15
. I unknowingly wrote code against a beta version of electron, now need to downgrade it to run on production.
My workaround was to explicitly declare the version of electron
that I wanted in package.json
separately.
Most helpful comment
Encountered this when installing
nightmare
via yarn - nightmare depends onelectron@^1.4.4
which resolves to1.6.0
which is under thebeta
dist-tag on npm. Highest latest version is1.4.15
. I unknowingly wrote code against a beta version of electron, now need to downgrade it to run on production.My workaround was to explicitly declare the version of
electron
that I wanted inpackage.json
separately.