-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The --frozen-lockfile command-line option does not work #3313
Comments
Remove the git diff invocations from the Travs CI build script. Check in yarn.lock that Travis CI seems to like. I have created yarnpkg/yarn#3313 about yarn ignoring the `--frozen-lockfile` command-line option. Until that gets resolved, we will stick the the ill-conceived `--pure-lockfile`.
Same here. Yarn is also annoyingly shifting dependency versions slightly during the build, which breaks the stable-dependency check we have, even when
Versions (CircleCI Ubuntu 12.04 node):
|
I have reported the shifting dependencies here: #3315 |
@ddgenome @henryptung shouldn't the command be |
@mysterycommand From the
To my understanding, the intent of |
@ddgenome, thank you for that. |
This is where it should fail but does not https://github.com/yarnpkg/yarn/blob/master/src/cli/commands/install.js#L340. Help debugging and a PR are welcome |
The |
Am I missing something, or does this bug mean that |
Hey, there's NPM 5 out. :) |
Working on this. Located the reason and place to fix. PR on the way after I figure out the tests part. |
Oh wait I missed @gpoole's patch. Still, working on this :) |
**Summary** Fixes #3313. Yarn automatically optimizes less-than-ideal `yarn.lock` files, usually from older versions. That said when run with the `--frozen-lockfile` argument, it should neither touch the lockfile nor throw an exception if the lockfile satisfies all the needs, even if it can be optimized. **Test plan** Existing unit tests plus a new unit test which fails without the fix applied.
@BYK could you link to the commit or release its fixed in? |
Is there a reason why |
I'm left confused by reading through this issue. I've found that version mismatches of yarn between our CI server and individual dev machines to cause All I want to do is
How can I direct yarn to install exactly what's in the lockfile and not modify it? |
I understand the confusion between |
@BYK Thank you for your response. I understand where you're coming from, but in reality it's going to be painful to coordinate the specific version of yarn on 6 developer machines, Travis-CI, our own CI server, what's required for OSS projects we contribute to, etc. It would really be great if I could just direct the yarn cli to use exactly what's in the lockfile, don't update it, don't make any new decisions, don't throw exceptions due to mismatches, just use what was already decided upon. |
The lock file only determines the resolved versions. The resolved tree differes between yarn versions and it is codified in the algorithm itself. See kittens' post:
That said I think I have a solution for you: https://yarnpkg.com/blog/2016/11/24/offline-mirror/#did-you-know-that-yarn-is-also-distributed-as-a-single-bundle-js-file-in-releaseshttpsgithubcomyarnpkgyarnreleases-that-can-be-used-on-ci-systems-without-internet-access I've had a similar problem when I was working back at Disqus and we ended up checking in one of these bundles into the codebase (it's realtively small) and aliasing Let me know if this helps you resolve the issue. |
Hey that's kind of awesome. I'll give that some consideration, thank you! One addition that might really make this awesome would be if you could list Either way, thanks again! |
Get out of my mind! I was actually thinking about something similar 😀
This is interesting and I'm okay trying to mimic an existing, well-established behavior. That said may be instead we can define I'd really encourage you to go over to https://github.com/yarnpkg/rfcs and try submitting a short RFC for this to see what others think. I'd love to ship this with 1.0 of we can get it ready.
My pleasure! |
@BYK so is it correct to conclude the following, or have I misunderstood? Although it is essentially mandatory to coordinate/sync the version of I tried pinning the version of |
Not really. I've just mentioned this in my earlier comments. The convention is to check-in the build yarn.js file into the repo unless you are using something like Chef to sync everything across all devices. I liked your approach but don't understand the concern around
Wasn't that the point then: to lock yarn versions and enforce everyone to use the exact same one? |
Yes, but it also locks versions for anyone attempting to install it globally as a CLI tool. Perhaps that's a bug/unintended side effect? What I want is to make sure that anyone/anything (collaborators, CI, etc) that interacts with the The package in question - quite relevant to
I don't think users should need to know/run The only doubt I have is because I publish this module with |
@rarkins - I see your point. I'd still suggest checking in the I think this may be quite interesting. //cc @yarnpkg/core |
@BYK after a few more minutes for the idea to bounce around, I think it's as simple as "yarn should not include yarn version in published package.json" or maybe "yarn should ignore yarn engines field when installing". Given that Do you foresee any problems with that idea? |
A few:
If you want everyone to use the same Yarn version, you need to put the same Yarn version to everyone. Why don't you just put the single-file Yarn release inside your repository? That's essentially what we do at Facebook to make sure that we're all using the exact same Yarn version at any single point in time, commit-wise. Now, what could be interesting would be to have another package on top of the regular |
Your solution of checking in the package manager may still be right, but I don't agree with most of the logic below. Reasoning follows:
Yarn broke that principle in the first place though by enforcing engines by default, while "other package managers" did not. Therefore it seems flawed to now use this principle as reasoning to fix this problem. Also consider this: the way it currently works, I'd say that using a pinned version of
But we are talking about yarn's own engine field, not other ones. I wouldn't expect other package managers to care/enforce yarn's engine version the same way I don't expect yarn to enforce npm version or any new "foonpm" package manager version.
But aren't there are multiple ways this could be done, including an
I might be missing something, but that seems like such a backwards approach for a package manager. Every other package in the world should be semantically defined but for the package manager itself.. commit a compiled file from another repo? It doesn't sit well with me even if that's what I'll probably end up doing. |
By the way, I don't have a problem with |
I think the surprise part is not changing the whole behavior but your suggestion is to make it only ignore this for
This feature may become useful for others too since
Not really.
It felt weird to me too at first but the problem with syncing package manager versions is, you can't install anything without a package manager, include the package manager itself. So it has to come from or controlled from somewhere else. The repo itself looks like a pretty good place since it would be ready along with all other files you need for the project that you can't download from a package registry. Again, the alternative is to use Chef or a similar config management tool. Also, I sense some anger/frustration in your tone. Did we do something to upset you? If so, how can we make it up to you and avoid it in the future? :) |
Right. I don't think it's unreasonable at all for
I just wanted to make sure we got past the "we have a problem" stage and to a "we have a possible solution". Or is RFC fine for an open "issue-like" problem discussion?
Open or not, the engines field is obviously vague if yarn can adopt such different approach to npm. Further, Let's say I run a service called "release automator" and the preferred way to configure it is by adding a
Sorry, not my intention to convey any upset/anger and I have edited the first paragraph of my previous comment to reduce that impression. |
Fair point.
I think we have identified the problem: there's no documented or automatic way to ensure
I really find this approach dangerous and quite opaque. Although yarn differs about how it interprets the
If your
No worries. I'm just making sure we don't break any hearts here :) Also thanks for the edit! |
Was having the same error with Travis, I upgraded my node version from 9 to 14 and it now works. Might be useful for someone else |
This probably fixed the issue since upgrading the version of Node brought along a newer version of Yarn. Make sure you're not using a version of Yarn from before this was fixed. |
The
--frozen-lockfile
command-line option does not work as advertised. It behaves the same way as when the option is not supplied, modifying the yarn.lock.Here's an example:
Do you want to request a feature or report a bug?
bug
What is the current behavior?
The yarn.lock can be overwritten when
--frozen-lockfile
is provided on the command line.If the current behavior is a bug, please provide the steps to reproduce.
Have a package.json that includes transitive dependencies with different versions. Sometimes, yarn will opportunistically collapse multiple dependencies on the same package into a single entry in the lock file if they can be satisfied by a single version. I'm not sure what triggers this. #579 contains a more thorough discussion.
Here is the link to a Travis CI build that exhibits the behavior: https://travis-ci.org/atomist/travis-rugs/builds/228523519
Here is the call to yarn that ended up with the yarn.lock being changed: https://github.com/atomist/travis-rugs/blob/c8b2dddfd129ae836a30864ec410ca9f01ff535e/.atomist/build/travis-build.bash#L68
What is the expected behavior?
yarn will make due with what is in the yarn.lock if it satisfies everything in package.json or fail if it can't.
Please mention your node.js, yarn and operating system version.
The text was updated successfully, but these errors were encountered: