Yarn: Yarn doesn't stop if integrity check fails. Instead it creates a new yarn.lock
Do you want to request a feature or report a bug?
Bug.
What is the current behavior?
If the current behavior is a bug, please provide the steps to reproduce.
See screenshot above.
What is the expected behavior?
- For it to immediately stop once the integrity check fails.
- For it to tell me what failed.
- For it to offer a course of action on how to fix.
- For it to not create a new yarn.lock file. That defeats the whole point!
Please mention your node.js, yarn and operating system version.
- macOS 10.12.4.
- yarn 0.23.2
- node 7.9.0
taoeffect
All 5 comments
Even worse: if I rm -rf node_modules/ and re-run yarn install, it still re-creates yarn.lock, but without the integrity check warning.
Here's the diff:
```diff
diff --git a/yarn.lock b/yarn.lock
index 0127e1f..2dc023b 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3102,11 +3102,7 @@ ieee754@^1.1.4:
version "1.1.8"
resolved "https://registry.yarnpkg.com/ieee754/-/ieee754-1.1.8.tgz#be33d40ac10ef1926701f6f08a2d86fbfd1ad3e4"
-ignore@^3.0.9, ignore@^3.2.0:
- version "3.2.6"
- resolved "https://registry.yarnpkg.com/ignore/-/ignore-3.2.6.tgz#26e8da0644be0bb4cb39516f6c79f0e0f4ffe48c"
-
-ignore@^3.2.7:
+ignore@^3.0.9, ignore@^3.2.0, ignore@^3.2.7:
version "3.2.7"
resolved "https://registry.yarnpkg.com/ignore/-/ignore-3.2.7.tgz#4810ca5f1d8eca5595213a34b94f2eb4ed926bbd"
@@ -3991,11 +3987,11 @@ [email protected], minimist@~0.0.1:
version "0.0.8"
resolved "https://registry.yarnpkg.com/minimist/-/minimist-0.0.8.tgz#857fcabfc3397d2625b8228262e86aa7a011b05d"
[email protected], minimist@^1.1.3, minimist@^1.2.0:
[email protected], minimist@^1.2.0:
version "1.2.0"
resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.0.tgz#a35008b20f41383eec1fb914f4cd5df79a264284"
-minimist@^1.1.0, minimist@~1.1.0:
+minimist@^1.1.0, minimist@^1.1.3, minimist@~1.1.0:
version "1.1.3"
resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.1.3.tgz#3bedfd91a92d39016fcfaa1c681e8faa1a1efda8"
```
taoeffect
on 24 Apr 2017
I think what you're looking for is yarn install --frozen-lockfile, which is supposed to be used e.g. in the CI where you want to fail. Locally it's quite practical that the yarn.lock file is automatically updated, because it's the only way to fix the integrity issues.
johannes-scharlach
on 24 Apr 2017
Locally it's quite practical that the yarn.lock file is automatically updated, because it's the only way to fix the integrity issues.
- Integrity issues should never happen in the first place
- If they do, something is very wrong, and yarn needs to explain _what_ is wrong
taoeffect
on 25 Apr 2017
:+1:
prokopsimek
on 5 May 2017
In 0.23 (and 0.26 added a patch) Yarn learned to optimize lockfile to reduce the number of distinct packages downloaded.
This should be a one-off optimization.
--frozen-lockfile got broken, we'll fix it in https://github.com/yarnpkg/yarn/issues/3313
bestander
on 23 May 2017
Related issues
danez
路
3Comments
sanex3339
路
3Comments
torifat
路
3Comments
ocolot
路
3Comments
jviotti
路
3Comments
Most helpful comment