yarn installs incorrect version for typescript, because dist-tag is ignored

Created on 5 Dec 2016 · 5Comments · Source: yarnpkg/yarn

Do you want to request a feature or report a bug?

_bug_

What is the current behavior?
If the current behavior is a bug, please provide the steps to reproduce.

You have an empty package.json:

{
  "name": "yarn-test",
  "version": "1.0.0",
  "private": true
}

You run $ yarn add typescript:

yarn add v0.18.0
info No lockfile found.
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 📃  Building fresh packages...
success Saved lockfile.
success Saved 1 new dependency.
└─ [email protected]
✨  Done in 0.68s.

You now have this package.json:

{
  "name": "yarn-test",
  "version": "1.0.0",
  "private": true,
  "dependencies": {
    "typescript": "^2.0.10"
  }
}

And this yarn.lock:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


typescript@^2.0.10:
  version "2.0.10"
  resolved "https://registry.yarnpkg.com/typescript/-/typescript-2.0.10.tgz#ccdd4ed86fd5550a407101a0814012e1b3fac3dd"

Now remove the yarn.lock and run $ yarn install.

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


typescript@^2.0.10:
  version "2.1.1"
  resolved "https://registry.yarnpkg.com/typescript/-/typescript-2.1.1.tgz#41c2b64472f529331b2055c0424862b44ce58d42"

Now [email protected] was installed which is wrong. The latest version of Typescript is 2.0.10 which was installed in the first run. 2.1.1 is released with an @rc dist-tag.

$ npm i --save typescript@next
└── [email protected]

$ npm i --save typescript@rc
└── [email protected]

$ npm i --save typescript@latest
└── [email protected]

What is the expected behavior?

Install [email protected] again.

Please mention your node.js, yarn and operating system version.

$ node -v
v6.9.1

$ yarn -V
0.18.0

macOS 10.12.1

cat-bug

Source

donaldpipowitch

👍17

Most helpful comment

@StephenFluin Angular should not be affected, because it uses a suffix like -rc.x in its rc releases.

Only repos using normal semver versions and tag these as rc with npm like typescript does are affected.

For Example:

Angular

// npm info  @angular-core
{
  "dist-tags": {
    "rc": "4.1.0-rc.0",
    "latest": "4.0.0"
  },
  "versions": [
    "4.0.0",
    "4.1.0-rc.0"
  ]
}

yarn add angular-core # installs 4.0.0



md5-9d0cdc8cba1a7cdfe66c078b6930dc77



```bash
yarn add typescript # installs 2.4.0, and its wrong - should be 2.3.0

cebor on 13 Jun 2017

👍6

All 5 comments

Any plans when this will be fixed ? I have the same issue with the latest typescript version: #2655

cebor on 9 Feb 2017

👍5

Are there any workarounds for this? I'm getting 2.3.0 rc installed for "typescript": "^2.2.1" in my package.json.

mdouglass on 15 Apr 2017

👍4

Any update on this? This is affecting release of things like Angular. An upcoming release was put on npm with the tag @next but everyone pinned to the major ('^4.0.0') started getting it early.

StephenFluin on 10 Jun 2017

👍2

@StephenFluin Angular should not be affected, because it uses a suffix like -rc.x in its rc releases.

Only repos using normal semver versions and tag these as rc with npm like typescript does are affected.

For Example:

Angular

// npm info  @angular-core
{
  "dist-tags": {
    "rc": "4.1.0-rc.0",
    "latest": "4.0.0"
  },
  "versions": [
    "4.0.0",
    "4.1.0-rc.0"
  ]
}

yarn add angular-core # installs 4.0.0



md5-9d0cdc8cba1a7cdfe66c078b6930dc77



```bash
yarn add typescript # installs 2.4.0, and its wrong - should be 2.3.0

cebor on 13 Jun 2017

👍6

I just got bit by this today. Is Yarn by design ignoring dist-tags? Or is this a bug to be fixed?