Yarn: resolutions is not behaving the way I expect it to

Created on 30 Apr 2018 · 12Comments · Source: yarnpkg/yarn

Do you want to request a feature or report a bug?
I don't know if this is a bug, a small feature request or a big feature request.
It is a request for change, however.

What is the current behavior?
Resolutions only work within semver range and do not override a package's preferred semver range.

What is the expected behavior?
A resolution is strictly enforced across all (sub-)dependencies of a project.

Please mention your node.js, yarn and operating system version.
Yarn 1.6.0
Node 8.11.1
Mac OS X (insert long version number here; up to date at the time of writing)

To illustrate my problem
Given the following excerpt from my yarn.lock:

puppeteer@^1.3.0:
  version "1.3.0"
  resolved "https://registry.yarnpkg.com/puppeteer/-/puppeteer-1.3.0.tgz#f571c5f27153ca164a8188e6328ce2e4946878f3"
  dependencies:
    debug "^2.6.8"
    extract-zip "^1.6.5"
    https-proxy-agent "^2.1.0"
    mime "^1.3.4"
    progress "^2.0.0"
    proxy-from-env "^1.0.0"
    rimraf "^2.6.1"
    ws "^3.0.0"

extract-zip@^1.6.5:
  version "1.6.6"
  resolved "https://registry.yarnpkg.com/extract-zip/-/extract-zip-1.6.6.tgz#1290ede8d20d0872b429fd3f351ca128ec5ef85c"
  dependencies:
    concat-stream "1.6.0"
    debug "2.6.9"
    mkdirp "0.5.0"
    yauzl "2.4.1"

mkdirp 0.5.0 does not run on strict mode (which is enforced by Jest), and results in a crash. mkdirp fixed this in 0.5.1, but extract-zip is requiring 0.5.0 and has not been updated in a very long time: https://github.com/maxogden/extract-zip/issues/57

As such, I _must_ make sure mkdirp resolves to 0.5.1, so I added a resolution:

  "resolutions": {
    "mkdirp": "^0.5.1"
  }

But this did not do anything, as yarn still respects extract-zip's wishes. At this point, I can do two things:

1: Manually edit yarn.lock and hope for the best
2: Fork extract-zip and update the dependencies, then fork puppeteer and let it use my fork of extract-zip and then use my fork of puppeteer in my project. Every time puppeteer updates, I'd need to pull it down into my fork and then re-update my project.

Both options are unwieldy. I would like to have to way to completely ignore extract-zip's wishes (demands) and force it to use a version of my choosing.

triaged

Source

StephanBijzitter

Most helpful comment

Unfortunately I'd go so far as to describe the example on that page as incoherent. What c-1 and d2-1 stand for is anyone's guess as is why there are two *s on one of them but not on the other and what the file is referring to, all a mystery.

roberthchapman on 31 Jan 2019

👍26 😕1

All 12 comments

To illustrate what I was expecting resolutions to do:

Before manual editing:

[email protected]:
  version "0.3.0"
  resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.3.0.tgz#1bbf5ab1ba827af23575143490426455f481fe1e"

[email protected]:
  version "0.5.0"
  resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.5.0.tgz#1d73076a6df986cd9344e15e71fcc05a4c9abf12"
  dependencies:
    minimist "0.0.8"

[email protected], [email protected], "mkdirp@>=0.5 0", mkdirp@^0.5.0, mkdirp@^0.5.1, mkdirp@~0.5.0, mkdirp@~0.5.1:
  version "0.5.1"
  resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.5.1.tgz#30057438eac6cf7f8c4767f38648d6697d75c903"
  dependencies:
    minimist "0.0.8"

After manual editing:

[email protected], [email protected], [email protected], [email protected], "mkdirp@>=0.5 0", mkdirp@^0.5.0, mkdirp@^0.5.1, mkdirp@~0.5.0, mkdirp@~0.5.1:
  version "0.5.1"
  resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.5.1.tgz#30057438eac6cf7f8c4767f38648d6697d75c903"
  dependencies:
    minimist "0.0.8"

StephanBijzitter on 30 Apr 2018

This is expected behavior. What you need is

  "resolutions": {
    "**/mkdirp": "^0.5.1"
  }

See the docs for more info: https://yarnpkg.com/en/docs/selective-version-resolutions/#toc-how-to-use-it

BYK on 1 May 2018

❤7

Ah, so the resolution "mkdirp" would only apply to direct dependencies; without recursing down the tree. Yeah, if explained like that it makes perfect sense!

However, even after re-reading the docs, this is not clear to me. I'll see if I can find the time sometime soon to propose an update to the docs :-)

StephanBijzitter on 1 May 2018

👍4 ❤3

I'll see if I can find the time sometime soon to propose an update to the docs :-)

This would be great, thank you!

BYK on 3 May 2018

roberthchapman on 31 Jan 2019

👍26 😕1

Ah, apparently I completely forgot about this. Will add it back into my agenda.

@roberthchapman it's a glob, but I guess for Windows users this may be something they've never seen before indeed. This could indeed also benefit from some examples being listed.

StephanBijzitter on 31 Jan 2019

@StephanBijzitter is there any update on adding examples to the yarn resolutions docs? :)

shermanhui on 21 Jun 2019

Ghehe, yeah: it got lost in a huge list of things still to do.

But, I got time this morning!

StephanBijzitter on 21 Jun 2019

@shui91 Not sure why you asked, but if it was because you'd be able to pick it up otherwise: good, because I could use your feedback on the pull request linked above 👼

StephanBijzitter on 21 Jun 2019

👍1

The package.json#resolutions docs add a link to the RFC.

Perhaps it would make sense to link it here as well?

willgriffiths on 26 Aug 2019

👍2

This is expected behavior. What you need is
  "resolutions": {
    "**/mkdirp": "^0.5.1"
  }
See the docs for more info: https://yarnpkg.com/en/docs/selective-version-resolutions/#toc-how-to-use-it

I know this one is almost 2 years old but isn't "**/mkdirp": "^0.5.1" the same as "mkdirp": "^0.5.1" as it is written here: https://github.com/yarnpkg/rfcs/blob/master/implemented/0000-selective-versions-resolutions.md ?

a is an alias for **/a (for retro-compatibility, see below, and because if it wasn't such an alias, it wouldn't mean anything as it would represent one of the non-nested project dependencies, which can't be overridden as explained below).

cc: @StephanBijzitter @BYK