-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Yarn Upgrade not changing yarn.lock since v1.0 #4476
Comments
any update on this? it's currently hard to update dependencies for my projects. |
bump. this is critical!! |
I just downgraded on a mac my local yarn to v0.27.5 node lts-6x - no lock file created/updated. so I sense there is an other problem somewhere?! |
FYI for anyone interested in downgrading read this article and I used the commit hash to point to the right $ brew install https://github.com/Homebrew/homebrew-core/87b41768b63a52d772f7e8bcc8e9360492ea513f/Formula/yarn.rb |
It is critical blocker for me too |
quick fix for build environments would be to use |
@pheadeaux did you clear your cache after downgrading? |
downgrading (and I hope this gets fixed soon. We basically can't upgrade to yarn 1 until it's fixed. |
added some details about my pacakge.json to the original post to help give more details. |
same on yarn 1.0.2 with MacOS Sierra. |
are there any maintainers who can look at this? it's preventing a lot of people from upgrading to version 1. |
@BYK do you know what I can do to get this issue addressed? It's been a while since it was posted and has received no response, but it affects a bunch of people and forces us to stay on yarn 0.27. |
Issue still with yarn 1.1.0 |
Ping @rally25rs. I think this is the new expected behavior after 1.0. @bdwain if it is urgent, you may wanna try digging into the code yourself. The code responsible for this is here: https://github.com/yarnpkg/yarn/blob/master/src/cli/commands/upgrade.js |
@rally25rs @BYK this doesn't seem like expected behavior. The docs explicitly state that yarn upgrade still changes yarn.lock. Is there another way to upgrade the lock file in 1.0 that I'm missing? Yarn upgrade seems to be the normal way of doing that. |
@bdwain Could you provide an example? (what the package name is, what version is currently installed, what semver range is specified in package.json)
Packages that are direct git repos are always considered "out of date" and will be re-downloaded. The SHA hash of the latest commit should be updated in For example:
With a git repo I could push a new commit to the So if no new commits are actually pushed to any of those 5 repos, then Yarn will still "upgrade" to them, but the It is quite reasonable that Yarn could/should query the github repo to check what the latest commit SHA is to determine if it is "outdated", but the existing behavior (uses
|
@rally25rs my package.json is in my original comment. My package is internal to my company so i can't really share it. I changed the name and the publishConfig but otherwise it's the same. In general, i wasn't so worried about the direct git dependencies. I just pointed them out to see if they were helpful. Really the problem was that I knew some of my semver dependencies were out of date but not getting updated. The other notable thing in my scenario is that I have a .yarnrc file pointing to an internal yarn registry running on top of artifactory. It forwards stuff to actual yarn and npm and has always worked fine with yarn 0.27, but maybe the registry needs updating for yarn v1? |
I assume it is one of the dependencies or devDependencies listed above in your package.json? Which one, and what version is currently installed (actual exact version, not semver range)? (knowing the package name and what version you are currently at, I can try to reproduce the issue) Edit: Also keep in mind that there was a change from v0 to v1 that changed what version would be upgraded to. Upgrade now respects the semver range in your package.json file unless you pass the |
it may also be the dependencies i have in my file. I'm not totally sure because none need an update now. But dependencies of dependencies are definitely affected. The expected upgrades are within the semver range i have though, so that should be the same I think (and I was under the impression that v0 's upgrade respected semver anyway). so as an example, i have yarn 0.27 installed and i just ran yarn upgrade on my project, and one of my dev dependencies (i didn't list it because it's internal), pulls in webpack-dev-server Currently, webpack-dev-server was resolving to 2.8.2 (in my yarn.lock at least). when i ran yarn upgrade on v0, it upgrade to 2.9.0. then i reverted my changes and upgraded yarn to v1 and reran yarn upgrade. Webpack dev server stayed at 2.8.2. Does yarn look at dependencies' yarn.locks now or something? EDIT: I added webpack-dev-server ^2.6.1 to my package.json and reran yarn upgrade and it pulled in the new version. So it seems like the issue is with transitive dependencies. |
Hmm, perhaps that is the issue... I don't think v1 tries to upgrade transient dependencies. I'm not sure if v0 did... never really thought about it. What upgrade does in v1 is basically call the logic for It was all confusing back in v0 too because I suspect in v1 I'll go re-pull the code for the last v0 build and see what |
Cool thanks for looking into this! My thought was always that an app should always determine the final version of any package it pulls in, whether transitive or not. Libraries should specify valid ranges but the app's yarn.lock was responsible for specifying the actual version (and respecting dependency ranges). So it seemed that ignoring the yarn.lock in dependencies was by design. If not, libraries basically need publish frequent updates with hardcoded dependency versions to let people use the most up to date version of transitive dependencies. Also, it's worth noting that with v1, if i delete my yarn.lock file and just run |
OK did a little hunting... In v0 all So if your package.json had:
then it was functionally equivalent to in v1 I do the same basic thing, feeding packages to @yarnpkg/core The topic "what is the correct thing to do here" is probably worth some additional discussion. We could go back to passing all packages to @bdwain Although it isn't ideal, I think you could emulate the old v0 |
Yup I was aware of that shortcut. For me it was easier to just downgrade to 0.27 temporarily because I just type yarn upgrade without even thinking now lol. To me, I always used upgrade-interactive to see what version upgrades were available to me that yarn upgrade WOULDN'T pull in for me, and just ran yarn upgrade regularly to pull in the latest versions WITHIN my semver range without caring which packages were actually affected. If someone wanted more granular control over their individual package upgrades, I would argue that they should set more strict semver ranges (or not even use ranges at all). |
How about we add a new flag to |
@BYK that's much better than having no option at all, but in my opinion, people usually just do |
Agreed. The behavior without any flags should be the intended purpose of the command. Options should be for exceptional cases. I think most people won't care if a package is a transitive dependency or not they'll want the latest version that they or their dependencies specifiy. That being said, I also think it'd be good to revert upgrade-interactive to its v0 behavior. Like I said earlier, to me it seems fundamentally different from upgrade, so sharing code shouldn't be the goal. The main reason for the interactivity to me is to upgrade outside of your semver range. Otherwise you should just use yarn upgrade or make your semvers more strict. I don't see it being especially useful in its current form without the --latest option. Thanks again for looking into this! I appreciate the effort! |
Counterpoint; to me Example: I have a project that uses There were several github issues around this pre-v1 because it was really confusing that each command picked different versions to upgrade to. That said, I'm fine with |
@rally25rs It sounds like upgrade-interactive is just masking the fact that your semver ranges could be tweaked to fit your needs better. Why would you ever not want to upgrade a package within the semver range you specify in package.json? It seems every package could be given a range such that you are always comfortable upgrading within that range, and then yarn upgrade always brings you to the latest comfortable versions for all of your packages, while upgrade-interactive could be used to change those comfort ranges. In your case, you could set the semver for phantom to |
Actually I'm starting to think the name upgrade-interactive is causing the confusion. The old behavior encouraged people to use it like I was using it, but the name makes it sound like it's just supposed to let you run a subset of the full Maybe the solution is to add a new command that behaves like upgrade-interactive with --latest. If that was done, I think it would satisfy everyone. I think this behavior is common enough that it should be available without adding options to another command. |
@bdwain yes that is what my semver ranges are set to. However if I selectively only wanted to upgrade say phantomjs to the latest in the semver range, in yarn v0...
There was no way to make I don't know how many times I replied to issues trying to explain "upgrade-interactive is not an interactive version of upgrade" which really makes no sense because the command naming would lead you to believe that it is (now in v1 is basically is). Anyway, as soon as I get a free moment I'll see what I can do about getting |
@rally25rs i see. My question is why are you uncomfortable updating other packages at the same time? Is there not a set of semver ranges that you would ALWAYS be comfortable running yarn upgrade with? I always viewed the whole point of semver ranges was to autoupgrade packages without having to pick and choose them individually. Otherwise you could just not set ranges and manually upgrade things when you want to. Though the alternative would be that yarn upgrade PKG upgrades a specific package within its range, which i think it should do. |
@bdwain well, yes and no... I mean the whole point of Yarn and NPM5 is deterministic builds, right. I've definitely had CI servers fail just because someone pushed a new patch-version of a package and it had a bug, so there are certain packages I look more carefully at before accepting their changes 😆 In a perfect world, yeah upgrade everything 👍 |
Yea i get that @rally25rs. What are your thoughts on |
I already got used to always passing the This is also where the main painpoint currently is for me. I see that the new |
@danez what behaviour did you experience if you did simply |
Yeah same for me, not sure if it makes a difference I just wanted to be safe. |
@danez I think I mentioned it above in this discussion, but it wasn't my intent to remove the upgrade of sub-dependencies when I made these changes. Yarn already had a built-in function to find outdated packages, so I just used that instead of blindly feeding all packages to the process, whether they needed upgraded or not. I saw it as an efficiency/speed gain (no sense in "upgrading" a package from v1.2.3 to v1.2.3, it's already there). I didn't think about the side-effect of that packages transient deps potentially being upgraded. I started on code for this fix yesterday and hope to PR something today... |
@rally25rs seems like yarn upgrade could share code with yarn install right? since it does the same thing assuming there is no yarn.lock |
For those keeping tabs on this issue... I pushed PR #4636 if anyone wants to try it out and verify that it works as expected. Sorry for the delay getting this together. It was more complicated than I thought because of the new features that were added as part of v1. @bdwain to respond to your comment, internally Anyway, if someone wants to test out that PR, I'd appreciate it! |
* [#4476] Upgrade transient deps during upgrades. * Rename 'transient' to 'transitive' * dont upgrade direct deps unless requested, add verbose upgrade logging * upgrade-interactive reuse lockfile cleaning from upgrade.js
* [yarnpkg#4476] Upgrade transient deps during upgrades. * Rename 'transient' to 'transitive' * dont upgrade direct deps unless requested, add verbose upgrade logging * upgrade-interactive reuse lockfile cleaning from upgrade.js
Do you want to request a feature or report a bug?
BUG
What is the current behavior?
nothing happens when i run yarn upgrade. No yarn-error.log is generated either. It happens for other people too.
But they are not all up to date.
in the other project, i see this every time i run yarn upgrade
(it's worth noting that those 5 packages are the only 5 that come up when i say yarn upgrade-interactive, and they are all direct git repo dependencies, not npm packages. the other project has no such dependencies)
but yarn.lock never changes
yarn upgrade also no longer installs dependencies when node_modules is empty.
If the current behavior is a bug, please provide the steps to reproduce.
I am just running yarn upgrade in my existing project. It's private so I can't link to it. But it happens in multiple projects
What is the expected behavior?
yarn.lock should update along with dependencies
Please mention your node.js, yarn and operating system version.
node: 8.5.0
yarn: 1.0.2
OS: Mac Sierra
Someone else has yarn 0.27.5 with the same project and it updates the dependencies. They are not just all up to date.
One other thing is that I am using an internal yarn registry (with artifactory), but it has never had an issue (and still works as of now) with yarn 0.27.5.
I'll try to post my package.json if that sheds any light on it
and i have a .yarnrc file pointing to an internal yarn registry (running on artifactory. it works with 0.27.5)
The text was updated successfully, but these errors were encountered: