Yarn: impossible to update package without pulling in updates of all dependencies

Created on 7 Mar 2018  路  9Comments  路  Source: yarnpkg/yarn

Do you want to request a feature or report a bug?
bug

What is the current behavior?

  1. there's a package.json, where "<packagename>": "~4.6.0", dependency is defined
  2. there's an entry in yarn.lock, which has the following lines:
"<packagename>@~4.6.0":
  version "4.6.73"
  resolved "https://<repository-url>/<packagename>-4.6.73.tgz#376e31e5ee9f7c6bb2c89d3921bfe7b24b6a75cf"
  dependencies:
    bootstrap-sass "^3.3.7"
    ember-bootstrap "^1.0.0"
    ember-bootstrap-datetimepicker "^1.1.0"
    ember-cli-babel "^5.1.7"
    ember-cli-htmlbars "^1.3.4"
    ember-cli-moment-shim "^3.5.0"
    ember-cli-string-helpers "^1.5.0"
    ember-component-css "^0.3.7"
    ember-config-service "^0.1.5"
    ember-font-awesome "^3.1.0"
    ember-moment "^7.4.1"
    ember-power-select "^1.10.4"
    ember-sticky-element "0.1.3"
    ember-truth-helpers "^2.0.0"
    eonasdan-bootstrap-datetimepicker "^4.17.47"
  1. there's a new version of <packagename> in repository (4.6.74)
  2. the only thing that is changed in the new version of <packagename> is package.json file (with version bumped). Just one number, no other changes at all.

There is no way to update <packagename> from 4.6.73 to 4.6.74 without updating all its dependencies

What is the expected behavior?
With yarn 1.3.2 we could run yarn add <packagename>@~4.6.0 --force and the package would be updated correctly, in 1.5.1 this doesn't do anything. There's no other way of doing update like that (yarn update pulls updates for other dependencies which is unacceptable).

Please mention your node.js, yarn and operating system version.

yarn versions v1.5.1
{ yarn: '1.5.1',
  http_parser: '2.7.0',
  node: '6.10.2',
  v8: '5.1.281.98',
  uv: '1.9.1',
  zlib: '1.2.11',
  ares: '1.10.1-DEV',
  icu: '58.2',
  modules: '48',
  openssl: '1.0.2k' }
cat-bug good first issue help wanted triaged
Source
picture rsichny
👍10

Most helpful comment

npm RFC got accepted 馃帀
https://github.com/npm/rfcs/pull/21

picture felixfbecker on 21 Dec 2018
🎉2

All 9 comments

Can you use yarn update <packagename>? Docs are here: https://yarnpkg.com/en/docs/cli/upgrade

_edit:_

Oh wait, you want to upgrade <packagename> _without_ upgrading all these?

    bootstrap-sass "^3.3.7"
    ember-bootstrap "^1.0.0"
    ember-bootstrap-datetimepicker "^1.1.0"
    ember-cli-babel "^5.1.7"
    ember-cli-htmlbars "^1.3.4"
    ember-cli-moment-shim "^3.5.0"
    ember-cli-string-helpers "^1.5.0"
    ember-component-css "^0.3.7"
    ember-config-service "^0.1.5"
    ember-font-awesome "^3.1.0"
    ember-moment "^7.4.1"
    ember-power-select "^1.10.4"
    ember-sticky-element "0.1.3"
    ember-truth-helpers "^2.0.0"
    eonasdan-bootstrap-datetimepicker "^4.17.47"

Don't run yarn upgrade <packagename> then, because by popular community demand, it will update all the transitive deps (yarn v1.0 used to not, but a bunch of people opened issues saying it should upgrade transitive deps too).

Hmm, I wonder if that behavior changed then. It might be finding the version in the lockfile and using that locked version despite the --force flag.

rally25rs picture rally25rs on 9 Mar 2018
👎3

Can I take up this issue

ajomadlabs picture ajomadlabs on 9 Mar 2018

Oh wait, you want to upgrade without upgrading all these?

right, and i agree that yarn update should update them, but having no way to update <packagename> without updating its dependencies is bad.

Hmm, I wonder if that behavior changed then.

It definitely did. yarn add --force worked fine for us before 1.5.1.

rsichny picture rsichny on 9 Mar 2018
👍2

Also, i'd say the most suitable solution would be an option for yarn update (like --prefer-locked-dependencies) which would only trigger the upgrade of transitive dependencies if it is really required.

rsichny picture rsichny on 9 Mar 2018

Don't run yarn upgrade then ..

How can I upgrade only one package then?

ruslan-polutsygan picture ruslan-polutsygan on 12 Apr 2018

The same behaviour reported in npm here: https://npm.community/t/impossible-to-update-single-package-without-updating-its-dependencies/1156/4
RFC: https://github.com/npm/rfcs/pull/21/files?short_path=783102e#diff-783102e2541695301fa5f6aee06132a7

felixfbecker picture felixfbecker on 11 Sep 2018

I鈥檝e opened PR #6471 which is my attempt to implement this. It worked for some rudimentary test cases I tried on my machine. I鈥檇 love to hear if this works for others too.

atcase picture atcase on 2 Oct 2018

npm RFC got accepted 馃帀
https://github.com/npm/rfcs/pull/21

felixfbecker picture felixfbecker on 21 Dec 2018
🎉2

@felixfbecker Almost 2 years after this, is there some news ? I had the same problem (although I expanded the package-lock diff on github and spotted the unwanted update even before merging the PR)

jonenst picture jonenst on 21 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

FLGMwt picture FLGMwt  路  3Comments
davidmaxwaterman picture davidmaxwaterman  路  3Comments
MunifTanjim picture MunifTanjim  路  3Comments
danez picture danez  路  3Comments
victornoel picture victornoel  路  3Comments