Yarn: Yarn upgrade-interactive should also edit the package.json, even when semver is valid

Duplicate of https://github.com/yarnpkg/yarn/issues/4443, I think.

And #4390

The old Yarn (pre v1) would always update to the latest as specified by the registry, so if your package.json had ^1.3.2 but the registry had 2.0.0 as the latest, it would upgrade you to 2.0.0 (ignoring your package.json). As of v1 that behavior now only happens if you pass -L/--latest flag. Without that flag it will respect what range is in your package.json.

I could certainly see the desire to update this range, and that could certainly be a feature request. We intentionally don't edit it at this point, because people might have some "exotic" ranges in there like 1.x || >=2.5.0 || 5.0.0 - 7.2.3 which is a valid range, and could be quite problematic to update and "get right".

Some thought behind this change is documented in this RFC: https://github.com/yarnpkg/rfcs/blob/master/implemented/0000-upgrade-command-consistency.md

I'll mark this as a "feature request" for now and leave it open.

I confirm that package.json is not updated. BUT should!

Updated versions just in yarn.lock is not good for me as a packages administrator. I receive different errors (with optionalDependencies, peerDeps, unproper package installations with nesting node_modules) with yarn when upgrade or install new packages and rarely remove yarn.lock or node_modules folder to get proper fresh install.

So with current behavior, I don't know with which top packages I had proper node_modules folder in past (with yarn 0.27 I had nice updated package.json and it gives to me good point for resolving package problems).

@rally25rs :

because people might have some "exotic" ranges in there like 1.x || >=2.5.0 || 5.0.0 - 7.2.3

So I suggest to skip updates for this "exotic", but update versions for x.x.x, ~x.x.x, ^x.x.x, >=x.x.x And make 99% of users happy 😉

The only way I can get the package.json to update is to remove and re-add the packages. Passing --latest to upgrade or upgrade-interactive does not update the package.json for me either.

yarn 1.3.2

I just retried running yarn upgrade-interactive --latest with v1.3.2 and the package.json is edited correctly. Even with still valid semver.

Is that for you guys also?

@rally25rs :

because people might have some "exotic" ranges in there like 1.x || >=2.5.0 || 5.0.0 - 7.2.3

So I suggest to skip updates for this "exotic", but update versions for x.x.x, ~x.x.x, ^x.x.x, >=x.x.x And make 99% of users happy wink

Is there a reason we can't have this behavior? I would greatly appreciate being able to quickly see the current minor|patch version by taking a quick look at package.json rather than grepping through yarn.lock which can grow rather large.

One use-case that makes sense to me is for security updates.

If a security update is created at patch level, for instance, then it makes sense to me to also allow the user to request that the package.json file is also updated to make it clear that the actual dependency has also been updated.

Thoughts?