yarn install changes yarn.lock file

[artlogic]

Do you want to request a feature or report a bug?
Bug

What is the current behavior?
When installing certain packages the yarn.lock file is changed. It seems to be package specific. In this case cordova triggers the behavior.

If the current behavior is a bug, please provide the steps to reproduce.

In an empty directory, do the following:

yarn init
yarn add cordova
cp yarn.lock yarn.lock.initial
rm -r node_modules
yarn install
diff yarn.lock.initial yarn.lock

Notice that the yarn.lock file has changed.

What is the expected behavior?

Installing should not change the lock file if it already exists.

Please mention your node.js, yarn and operating system version.

node v6.11.3, yarn v1.0.1, Mac OS 10.11.6

[BYK]

I don't think this is a bug. I was able to reproduce the issue but the difference was

52,55d51
< ansi-regex@*:
<   version "3.0.0"
<   resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-3.0.0.tgz#ed0317c322064f79466c02966bddb605ab37d998"
<
1352c1348
< imurmurhash@*, imurmurhash@^0.1.4:
---
> imurmurhash@^0.1.4:

This change is just an optimization of the lockfile and doesn't change the semantics. We are planning to add a warning when the lockfile needs an update when running yarn install but if you want to ensure your lock file stays the same and is accurate, you should be using the --frozen-lockfile option.

I have to admit that this is a bit unintuitive and we are trying to come up with a good solution to this. You can follow or contribute to the discussion on #4147.

If you agree that this is not a bug and #4147 is a good place to continue the discussion, pleae close the issue :)

[artlogic]

@BYK thanks for your thoughtful response. After reading #4147, I'm on the fence about closing this issue. I'm hoping a bit more discussion here can help.

#4147 seems to be exclusively about the case where the yarn.lock and package.json are not in sync - in fact the only time optimization is mentioned is in this comment: #4147 (comment) - and that comment touches on the issue that concerns me: yarn modifying the yarn.lock file when no changes have been made to package.json.

It seems to me that the yarn.lock file should only change if my dependencies are somehow changing. In fact, up to this point, I've been telling my devs that if they see a change in the yarn.lock file, it's time to run yarn install. With the recent upgrades several reported back that after they received my changes and they ran yarn install, their lock file changed (the optimization). This makes for a confusing situation - should they commit the change? Should I somehow pre-optimize the lock file (is that even possible)?

It looks like I may have to, in the short term, add --frozen-lockfile true to .yarnrc in all my repos - but I'm not a huge fan of this solution because it precludes the workflow mentioned in #4147 where you edit the package.json and then run yarn install.

Is the intention that any invocation of yarn might modify yarn.lock?

[artlogic]

@BYK I'm sorry to bother you about this because I know you are very busy - but I'm hoping to get a definitive answer on this. My workflow for distributing dependency changes to my team has devolved into this:

yarn add [blah]
rm -r node_modules yarn.lock
yarn install
rm -r node_modules
yarn install

This seems to update the lock file properly (see #4476), and then optimize the lock file so that my team mates aren't checking in lock file changes.

Is my team using yarn incorrectly? Should we be expecting the lock file to change with every install command?

[k0pernikus]

@artlogic IMHO, your team mates should be allowed to check in lockfile changes even if they are just optimizations. I'd agree with the notion that yarn install optimizing the lockfile is counter-intuitive, yet still something that each developer of your team could safely commit. I don't understand why you want to prohibit that.

That being said, your workflow might lead to unexpected side-effects, as you are pretty much giving up the locked-in versions. Deleting the lockfile means that yarn has to resolve all the dependencies version again, and it will try to fetch the most current version as pointed out in your package.json leading to potential breakage, esp. if more than one dependency breaks at the same time in a future version.

If you still want to enforce that install does not touch lockfile, then you should use the frozen-lockfile flag:

 yarn add {blah}

Check in lockfile, and then another dev would use:

   yarn install --frozen-lockfile

DON'T ADD --frozen-lockfile to true in .yarnrc as it prevents you from ever updating, see: #4570

If you want to upgrade your dependencies, run:

 yarn upgrade

If you want to upgrade only one dependency:

  yarn upgrade {blah}

You can also just install a specific version of one dependency:

  yarn install {blah}@1.5

This allows for more fine-tuning and less headaches in the long run.

[artlogic]

@k0pernikus - thanks for your detailed response. First, I should apologize for conflating two issues - #4476 is driving some of my workflow. The fact that yarn upgrade appears to be somewhat broken has nothing to do with this issue, of course.

As for workflow, I can't imagine mine is the only team where one developer is in charge of maintaining/testing new dependencies while the other developers work on the code base. The big issue I have with what has started happened is that I would install/test new dependencies, tell everyone to run yarn install and then get 4-5 questions about if the changed yarn.lock should be committed. It seems like I'd be in a worse place if I said "if the lockfile changes, commit it" because at that point I could end up for a commit lock that looks something like this:

• yarn.lock changed (dev4)
• yarn.lock changed (dev3)
• yarn.lock changed (dev2)
• yarn.lock changed (dev1)
• Updated dependencies (me)

However, it could be this is just the way yarn is intended to work, so for my team's projects we'll change all our repos to use frozen lockfile so that only add and upgrade cause the lockfile to change.

One additional scenario... it seems like this could be a potential annoyance for projects with lots of contributors because potentially each time they clone and install, the lockfile might change. I certainly wouldn't want these optimizations in pull requests. Is the intention that most FOSS projects using yarn transition to a frozen lockfile as well?

[jboler]

@artlogic Our team has --install.pure-lockfile true in the project's .yarnrc for exactly this reason.

[artlogic]

@jboler - I hadn't seen that setting before. I'm going to have to take a look, but it looks like I'll be suggesting that we add that to the .yarnrc for all our repos, and all the repos of any FOSS projects I have.

If someone from the yarn team can confirm that the intention is that yarn install can and will change the lock file on every run (despite no changes to dependencies) then I'll close this issue.

[BYK]

@artlogic sorry for the late response.

The thing is, it is expected that yarn install to potentially change the lock file. I know this is not ideal and needs better communication though. I really want to have a better default but in the meantime, I think something like @jboler suggested with but maybe using --frozen-lockfile instead, would be the best solution until we figure out how yarn should behave under different scenarios like for workflows where people prefer simply editing package.json to update dependencies instead of using yarn add etc.

[vkrol]

@BYK I agreed with @artlogic . This behavior is very confusing:

The big issue I have with what has started happened is that I would install/test new dependencies, tell everyone to run yarn install and then get 4-5 questions about if the changed yarn.lock should be committed.

Our team consists of ~50 people who run yarn install every day :(

[BYK]

@vkrol you should be able to check in a .yarnrc file that has --install.frozen-lockfile true or --install.pure-lockfile true to avoid issues until Yarn changes its behavior. Would that help?

[vkrol]

@BYK pure-lockfile will help us, but not frozen-lockfile. If I understand correctly yarn install will fail with an error if frozen-lockfile is enabled. This behavior is absolutely unacceptable in our case.

[BYK]

@vkrol my preference is frozen-lockfile since it will fail only if your lock file needs changing and is not consistent. With pure-lockfile you may have a lockfile close to being useless or very inaccurate but you still wouldn't get a failure. Yarn would simply use the internal resolutions it calculated happily. If all your team members use the exact same version of Yarn, this should be fine. If not, it can be dangerous.

[vkrol]

@BYK maybe I do not understand the behavior of frozen-lockfile correctly. Does it fail when the lockfile is consistent with the package.json content, but some internal optimization needed?

[BYK]

@vkrol it should not fail when the file can be optimized further but it is consistent with package.json and is consistent in itself. If not, this is a bug. There is even a test for this:

yarn/__tests__/commands/install/lockfiles.js

Lines 72 to 84 in 0415b07

	test.concurrent(
	"doesn't write new lockfile if existing one satisfied but not fully optimized with --frozen-lockfile",
	(): Promise<void> => {
	return runInstall(
	{frozenLockfile: true},
	'install-should-not-write-lockfile-if-not-optimized-and-frozen',
	async (config): Promise<void> => {
	const lockfile = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
	expect(lockfile.indexOf('left-pad@1.1.3:')).toBeGreaterThanOrEqual(0);
	},
	);
	},
	);