Yarn: Wrong dependency installed for React Router 4

Can't reproduce locally. I installed react-router@^4.0.0-alpha.5 both with npm and yarn and history is always at 4.4.0.

I will try to reset cache.

Hmm, still "version": "4.3.0". Can you please check this package json?https://github.com/este/este/blob/d5232784a94be7eda6218f3ba1f1749f7f969ef8/package.json

Ok this seems indeed like a weird bug in yarn. Very interesting case you got here.

For reference, these are the steps to reproduce:

1. Clone este and do a checkout on d5232784a94be7eda6218f3ba1f1749f7f969ef8
2. Do a yarn install (tried with current master, b84fde34). (I recommend deleting the postinstall entry cause it is unnecessary for this test and takes ages)
3. Look into node_modules/react-router/node_modules/history/package.json. It installed 4.3.0 even though 4.4.0 is newer and it was required to be ^4.3.0 in react-router.
4. We got another version of history on root level which is 4.4.0
5. Delete node_modules and do npm install. Only the root level [email protected] is present.

The yarn.lock file is interesting as well. For react-router we got this part:

[email protected]:
  version "4.0.0-alpha.5"
  resolved "https://registry.yarnpkg.com/react-router/-/react-router-4.0.0-alpha.5.tgz#9d80514f9bbbec040dffbd4f9cf241da2830e318"
  dependencies:
    history "^4.3.0"
    path-to-regexp "^1.5.3"
    query-string "4.2.3"
    react-broadcast "^0.1.1"

which refers to history@^4.3.0. This gets resolved to this entry:

history@^4.3.0:
  version "4.4.0"
  resolved "https://registry.yarnpkg.com/history/-/history-4.4.0.tgz#b1369588cb9e5d80219d0b1f866b0ac62c14a7f8"
  dependencies:
    invariant "^2.2.1"
    loose-envify "^1.2.0"
    resolve-pathname "^2.0.0"
    value-equal "^0.1.1"
    warning "^3.0.0"

The resolved URL for 4.3.0 cannot be found in the lockfile. No other entry contains history.

Sorry, my bad.

You have to cat node_modules/react-router/node_modules/history/package.json 😜

Edit: hehe

yarn add [email protected] produces the same thing for me.

https://registry.yarnpkg.com/react-router/-/react-router-4.0.0-alpha.5.tgz#9d80514f9bbbec040dffbd4f9cf241da2830e318 has history 4.3.0 inside the node_modules folder. 😄

Or, to be precise https://registry.npmjs.org/react-router/-/react-router-4.0.0-alpha.5.tgz

Since this is an alpha release of react-router I don't find any reason to report it. But, if you guys feel like you can.

But why npm i works while yarn not?

Oh ok, that's rare that a package publishes its node_modules folder.

How can this happen though? I thought that npm ignores node_modules by default when publishing.

Btw @torifat you are right of course, yarn add [email protected] is sufficient to reproduce. I apparently made the same mistake in the beginning and looked into the root node_modules.

@steida: It seems that npm does some extra work to remove the node_modules folder inside of the downloaded package. It should be there in the first place. I don't think yarn should do this as well. So far, yarn gives the impression of trying to _not_ be defensive (for reference, see the explanation on shrinkwrap files not being taken into account (which I like by the way)).

(Router dev here)

Oh, that's a bad push on our part then. I have no idea why that was included (maybe the tarball was manually constructed?). It's certainly not the norm. We have a number of things outstanding on master that haven't been pushed, so I'll see about getting another version pushed and unpublishing that version.