Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yarn install doesn't complain about garbled data for a given resolved version in yarn.lock #7594

Open
DeeDeeG opened this issue Oct 2, 2019 · 4 comments
Open

yarn install doesn't complain about garbled data for a given resolved version in yarn.lock #7594

DeeDeeG opened this issue Oct 2, 2019 · 4 comments

Comments

@DeeDeeG
Copy link

DeeDeeG commented Oct 2, 2019
edited
Loading

Do you want to request a feature or report a bug?
I would like to report a bug.

What is the current behavior?
yarn install (with or without --pure-lockfile and --frozen-lockfile) will proceed without a warnings or errors if data for resolved versions is garbled or blank in yarn.lock.

If the current behavior is a bug, please provide the steps to reproduce.

Minimal test-case repo I made: https://github.com/DeeDeeG/yarn-install-bugs

Note that the yarn.lock file in that repo is manually edited, and nonsensically records lodash@~4.15.0 as being resolved to version 1.3.0 of left-pad. It is also cut off a bit due to a caopy-paste mishap. This demonstrates that yarn install's checks do not notice or warn about this garbage data in yarn.lock. In fact, the whole resolution info and SHASUM, etc. can be manually deleted, and yarn install --frozen-lockfile will run without warnings or errors. (This single line would be a sufficient yarn.lock: lodash@~4.15.0:)

Steps to reproduce:

You can do this to install dependencies (which are just lodash):

  • yarn install --frozen-lockfile OR yarn install --pure-lockfile

You can do this to verify which version of lodash was installed to node_modules:

  • grep "var VERSION" node_modules/lodash/lodash.js

What is the expected behavior?

yarn install should complain about garbled data in yarn.lock, especially when using --pure-lockfile or --frozen-lockfile

Please mention your node.js, yarn and operating system version.

Node: v10.16.3
Yarn: tested with v1.17.3 through v1.19.0
OS: Ubuntu 19.10 (development branch) -- Linux 5.3
@DeeDeeG DeeDeeG mentioned this issue Oct 2, 2019
Open
@DeeDeeG
Copy link
Author

DeeDeeG commented Oct 2, 2019

It looks like I made a mistake copying and pasting in nano. I copied some lines that were overflowing my screen to the right when I copied. So the data got cut off and garbled.

@DeeDeeG DeeDeeG changed the title yarn.lock doesn't work as expected, is largely ignored by yarn install yarn install doesn't complain about garbled data for a given resolved version in yarn.lock Oct 2, 2019
@DeeDeeG
Copy link
Author

DeeDeeG commented Oct 2, 2019

I significantly updated this bug report to reflect the less-severe nature and scope of the problem.

@DeeDeeG DeeDeeG changed the title yarn install doesn't complain about garbled data for a given resolved version in yarn.lock yarn install doesn't complain about garbled data for a given resolved version in yarn.lock Oct 2, 2019
@knoxcard
Copy link

knoxcard commented Oct 4, 2019

Can you upgrade to the latest version of node (12.11.1) and retry?

@DeeDeeG
Copy link
Author

DeeDeeG commented Oct 7, 2019
edited
Loading

Tried on Ubuntu Eoan (19.10) and macOS Mojave (10.14.5), latest Node 10.x and 12.x, and Yarn 1.17.3 and 1.19.0 (all eight combinations).

In all cases, using my example repo on master branch, I did the following command: yarn install --frozen-lockfile

Can confirm that Yarn did not error out or warn that it was ignoring the (partially garbled) resolution info in yarn.lock.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@knoxcard @DeeDeeG