Yarn: Yarn install --production installs a devDependencies package

Created on 20 Dec 2016  路  13Comments  路  Source: yarnpkg/yarn

What is the current behavior?

yarn install --production installs packages in devDependencies (npm install --production doesn't).

/data/api # npm install --production >& /dev/null 
/data/api # ls node_modules/typescript
ls: node_modules/typescript: No such file or directory
/data/api # rm -rf node_modules/
/data/api # yarn install --production >& /dev/null 
/data/api # ls node_modules/typescript
AUTHORS.md                CopyrightNotice.txt       LICENSE.txt               ThirdPartyNoticeText.txt  jenkins.sh                netci.groovy              test.config
CONTRIBUTING.md           Gulpfile.ts               README.md                 bin                       lib                       package.json
/data/api # yarn why typescript
yarn why v0.18.1
[1/4] Why do we have the module "typescript"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
info Has been hoisted to "typescript"
info Reasons this module exists
   - "typings#typings-core" depends on it
   - Specified in "devDependencies"
info Disk size without dependencies: "21.05MB"
info Disk size with unique dependencies: "21.05MB"
info Disk size with transitive dependencies: "21.05MB"
info Amount of shared dependencies: 0
Done in 2.56s.
/data/api # yarn why typings
yarn why v0.18.1
[1/4] Why do we have the module "typings"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
info Has been hoisted to "typings"
info This module exists because it's specified in "devDependencies".
Done in 1.88s.

What is the expected behavior?

Typescript should not be installed.

Please mention your node.js, yarn and operating system version.

(In a docker container)

/data/api # node -v
v6.9.2
/data/api # yarn -V
0.18.1
/data/api # uname -r
4.4.0-53-generic
picture jucrouzet
👍5

Most helpful comment

How did the >0.18.x releases get through the QA / testing process if they blatantly ignore what the instructions say in regards to how --production is suppose to work?

This is extremely dangerous behavior, some applications could have serious consequences if development packages are installed on production hosts... not just from a "this code shouldn't be here" perspective... but from an auditing and compliance perspective... if some "development aspect / debug tool" ends up an a production host under SOC regulation it could void that systems compliance!

picture diclophis on 17 Feb 2017
👍16

All 13 comments

Could this be because a yarn.lock is present in a dependency with typescript in it ?

jucrouzet picture jucrouzet on 20 Dec 2016

I don't think so. I'm noticing the same thing, basically "yarn install --production" installing my devDependencies. It seems to act properly prior to Yarn 0.18.x from what I've seen. But 0.18.x and 0.19.x seem broken for production installs.

Codelica picture Codelica on 7 Feb 2017
👍1

I'm having maybe the same problem with Yarn v0.20.3. I've noticed this:

If I have this package.json:

{
  "name": "test",
  "devDependencies": {
    "stylelint": "^7.8.0",
    "stylelint-order": "^0.2.2"
  }
}

yarn install --production correctly installs nothing.

But when I have this:

{
  "name": "test",
  "dependencies": {
    "trim-right": "^1.0.1"
  },
  "devDependencies": {
    "stylelint": "^7.8.0",
    "stylelint-order": "^0.2.2"
  }
}

yarn install --production installs stylelint (but not stylelint-order) and all it's dependencies.

That's very weird because trim-right is completely disconnected to stylelint (actually trim-right has zero dependencies).

EDIT: I used trim-right to show the problem because it's a very simple package. But the problem seems to occur with any other package instead.

daltones picture daltones on 15 Feb 2017

How did the >0.18.x releases get through the QA / testing process if they blatantly ignore what the instructions say in regards to how --production is suppose to work?

This is extremely dangerous behavior, some applications could have serious consequences if development packages are installed on production hosts... not just from a "this code shouldn't be here" perspective... but from an auditing and compliance perspective... if some "development aspect / debug tool" ends up an a production host under SOC regulation it could void that systems compliance!

diclophis picture diclophis on 17 Feb 2017
👍16

I've done an in-depth analysis of this bug here

janaz picture janaz on 2 Mar 2017

Experiencing the same issue https://twitter.com/SamVerschueren/status/842812648714571777. It looks like the production flag only installs the dependencies in package.json but also installs the devDependencies of those dependencies.

SamVerschueren picture SamVerschueren on 18 Mar 2017
👍6

This issue seems to be fixed in v0.23.2 (worked for me). @jucrouzet can you confirm?

janaz picture janaz on 18 Apr 2017

I confirm, it is fixed

jucrouzet picture jucrouzet on 18 Apr 2017

On version 0.24.4 still running into this issue

imawuman picture imawuman on 23 May 2017

Still running into this issue in v1.1.0 ... created issue for followup: https://github.com/yarnpkg/yarn/issues/4646

phun-ky picture phun-ky on 6 Oct 2017

Regressed

mattfysh picture mattfysh on 22 Jan 2019
👍3

I am getting this problem using v0.9.4

peterdemartini picture peterdemartini on 22 Jan 2019

It sure happens to me:

yarn -v
1.22.5

On Windows, if this matters. Still installs _select_ dev packages!

dobriai picture dobriai on 9 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MunifTanjim picture MunifTanjim  路  3Comments
davidmaxwaterman picture davidmaxwaterman  路  3Comments
torifat picture torifat  路  3Comments
Ambroos picture Ambroos  路  3Comments
mnpenner picture mnpenner  路  3Comments