unknownbreaker
commented
2 years ago I actually had the same issue as @nottoseethesun but then I upgraded my yarn to 3.2.1.
Now running yarn-audit-fix --force --audit-level high upgrades the major semver in yarn.lock, but that new semver not reflected in the package.json file.
My package.json has "pug": "^2.0.4", which the --force flag successfully upgraded to 3.0.1 in yarn.lock. However, package.json still shows the same "pug": "^2.0.4".
yarn.lock
"pug@npm:^2.0.4":
version: 3.0.1
resolution: "pug@npm:3.0.1"
dependencies:
pug-code-gen: ^3.0.2
pug-filters: ^4.0.0
pug-lexer: ^5.0.0
pug-linker: ^4.0.0
pug-load: ^3.0.0
pug-parser: ^6.0.0
pug-runtime: ^3.0.0
pug-strip-comments: ^2.0.0
checksum: 3a98e5b072f53cfdcc40ed864cd926eb8fde59e96254b7ae6d27426fc47b896e8d3848741c6123bdd8742c3cfe3ce4c1989e91feb3589e5c48d5937779faa4e9
languageName: node
linkType: hardThis seems pretty confusing to me because I would've expected the --force option to have updated my package.json to reflect the 3.0.1 major semver update.
Leaving the package.json unchanged can mislead other developers working on the project into thinking the package is still on 2.x.x when it is actually on 3.x.x. The major semver update would likely have breaking changes in API that would be confusing to pinpoint if package.json still points to the previous major semver.
Shouldn't the package.json be updated, as well?
antongolub
When I run
yarn run yarn-audit-fix --force --audit-level high, andpugneeds to be upgraded from major semver2to3, I get this message fromyarn-audit-fix:-- and the entry in
package.jsonremains^2.0.4when it needs to be^3.0.1. Furtheryarn-audit-fixruns flag the same error, which causes e.g. Husky scripts to block pushes. We found that apparently, the version in theyarn.lockfile is upgraded though.Running
yarn-audit-version9.3.2.