Yarn: Yarn ignores lockfiles in npm packages, doesn't fix dependencies
Do you want to request a feature or report a bug?
Bug/issue/question - although possible it's user error, it's not entirely clear how this is meant to work
As far as I can work out, when publishing npm packages there's no way of locking dependencies using yarn. It seems it just ignores any yarn.lock file in the package and uses the standard npm pattern matching to work out dependencies. Is this right?
If so how does it square with 'an install that worked on one system will work exactly the same way on any other system' from your homepage? This seems to only be true for devs who can get a lockfile out of source control.
What is the current behavior?
Include yarn.lock file in an npm package to lock a dependency to a specific version (e.g. 1.0.0), where package.json has a range (e.g. ^1.0.0). If the dependency is upgraded to 1.0.1 then that gets installed on a yarn add: it's not locked at 1.0.0.
If the current behavior is a bug, please provide the steps to reproduce.
- Create empty folder called test-base, do npm init, accept defaults
- npm publish from test-base
- Create empty folder called test-container, do npm init, accept defaults
- yarn add test-base
- Delete the node_modules folder, you should have package.json and yarn.lock files. yarn.lock maps the test-base dependency ^1.0.0 to the 1.0.0 package.
- npm publish from test-container
- In the test-base folder change the version number in package.json to 1.0.1
- npm publish from test-base
Now in another empty folder do yarn add test-container. It installs 1.0.1 of test-base in spite of the lock file being in the container package and mapping ^1.0.0 to 1.0.0.
There are rich-test-base and rich-test-container packages in npm currently as above (with rich- prepended).
What is the expected behavior?
I thought including a yarn.lock file in a package locked all the dependencies to a specific version? Did I do something wrong?
Please mention your node.js, yarn and operating system version.
- node v6.10.3
- yarn 0.23.4
- windows 10
rich-newman
All 3 comments
That is by design https://yarnpkg.com/blog/2016/11/24/lockfiles-for-all/
bestander
on 4 May 2017
Thanks very much, that's an interesting read, indeed it's an interesting project. I have to say the idea that your devs have locked versions of dependencies whilst your end users get the next version automatically seems completely the wrong way round to me. I guess there's nothing stopping me using npm shrinkwrap for my packages though, so it's not an issue.
rich-newman
on 4 May 2017
It's very big issue as for me. package/yarn-lock.json doesn't make any sense in this case.
yhaiovyi
on 13 Jul 2018
Related issues
seansfkelley
路
3Comments
catkins
路
3Comments
baptistelebail
路
3Comments
MunifTanjim
路
3Comments
torifat
路
3Comments
Most helpful comment
Thanks very much, that's an interesting read, indeed it's an interesting project. I have to say the idea that your devs have locked versions of dependencies whilst your end users get the next version automatically seems completely the wrong way round to me. I guess there's nothing stopping me using npm shrinkwrap for my packages though, so it's not an issue.