yarn install --force not overwriting yarn.lock when --frozen-lockfile true set in .yarnrc

[k0pernikus]

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

yarn install --force is not overwriting yarn.lock

yarn init
yarn add lodash

Add .yarnrc:

--frozen-lockfile true

Edit package.json and add another dependency to get package.json and yarn.lock out of sync.

Run

yarn install --force

Example repository: https://github.com/k0pernikus/yarn-bug-install-force

yarn install

What is the expected behavior?

yarn install --force should overwrite the lockfile as stated in the help:

--force    install and build packages even if they were built before, overwrite lockfile

My goal is to get an updated yarn.lock file.

Yet the yarn.lock is not touched AND all the dependencies as pointed out in the package.json are installed locally.

I know the package.json and the yarn.lock file do not match. That's why I run force to begin with. Yet I have to temporarily remove the .yarnrc config. Then I can just run yarn install to get an updated yarn.lock file and the force flag becomes needless and misleading.

A developer will get a working state on their machine, yet it will lead to error on the build system and it's hard for them to know why.

Please mention your node.js, yarn and operating system version.

node v8.4.0
yarn 1.1.0
Ubuntu 16.04

[k0pernikus]

We ran into this again. Could you please provide any feedback if this will be fixed or if there is a working workaround that both allows for frozen-lockfile setting as a default but also allows for adding new dependencies?

[k0pernikus]

I have deleted the frozen-lockfile true option from my .yarnrc from my repositories, as this bug makes trying to maintain the dependencies nigh impossible when it is set on a local dev machine.

frozen-lockfile should only be active on a yarn install. It should allow changing the lockfile through yarn upgrade and through yarn install --force.

Instead, I now ensure that the yarn.lock is in sync during build by calling setting providing the flag directly through yarn install --frozen-lockfile in my Dockerfile. Still, I would like to have this set on local environment as well.

[stringbeans]

I too would like to add --install.frozen-lockfile true to our .yarnrc file, but it doesnt seem like there's any way to override the .yarnrc properties if you need to :(

it would be nice if i could run yarn --force to force an update to the yarn.lock file, OR run yarn upgrade to force an update to yarn.lock

[olegserov]

@k0pernikus @stringbeans I found a workaround, if your run this command yarn install --no-default-rc, it will write yarn.lock.

Full demo:

$ git status yarn.lock
...
nothing to commit, working tree clean

$ cat .yarnrc
--frozen-lockfile true

$ yarn install
....
error Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.

$ yarn install --force
......
✨  Done in 54.34s.

$ git status yarn.lock
.....

nothing to commit, working tree clean


$ yarn install --no-default-rc
...
success Saved lockfile.
✨  Done in 53.23s.

$ git status yarn.lock
...
	modified:   yarn.lock
...

[k0pernikus]

To expand on @olegserov workaround, it only works if one does not need a .npmrc as well, as both .yarnc and .npmrc are ignored:

$ yarn help | grep no-default-rc
    --no-default-rc                     prevent Yarn from automatically detecting yarnrc and npmrc files

For my projects, the workaround is not feasible as they require a private registry setting provided through the .npmrc config file.