4.10.0 not available via yarn

[wpwood]

When trying to install bower (which uses parse-asn1, and transitively, asn1.js), the install tries to pull in asn1.js 4.10.0, which doesn't exist. There's a GitHub release, but no yarn version, apparently. Forcing 4.9.2 does work.

The error I'm getting is:

yarn install v1.2.1
[1/4] Resolving packages...
[2/4] Fetching packages...
error An unexpected error occurred: "https://registry.yarnpkg.com/asn1.js/-/asn1.js-4.10.0.tgz: Request failed \"404 Not Found\"".
info If you think this is a bug, please open a bug report with the information provided in "/jenkins/workspace/rs_aa-web-tng_jenkins_build-PDLIB2YYFPZ3HKD27EE26S7JKYWCT2YIOP46OX7JC4W7ITGSUOKA/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
script returned exit code 1

[atma]

Same here with npm. It report that the version 4.10.0 is exist but tarball cannot be downloaded:

curl -I https://registry.npmjs.org/asn1.js/-/asn1.js-4.10.0.tgz
HTTP/1.1 404 Not Found

Would be nice to bump the version to 4.10.1 and republish it, so the packages that has asn1.js dependency with caret will work with no problems. E.g. ^4.0.0 ➞ 4.10.1 instead of the current corrupted 4.10.0.

[wpwood]

I solved the issue by removing my yarn.lock and node_modules, ran yarn cache clean, and then reran yarn install. That gave me a reference to asn1.js 4.9.2 in yarn.lock, instead of 4.10.0.

I think there must have been a 4.10.0 version at some point, which made it into the yarn.lock file, which made the builds want to re-use it. Looks like it doesn't exist any more.

Hope that helps.

[indutny]

Sorry to cause problems, but 4.10.0 was unpublished due to incompatibility with webpack/browserify. You must have been caught between publishing and unpublishing, so the yarn lock file has this non-existent version. Sorry again.

Closing as there is nothing actionable on my end.

[jiripudil]

Hello @indutny

I'd just like to point out a quote from semver specification, found under the question "What do I do if I accidentally release a backwards incompatible change as a minor version?":

Even under this circumstance, it is unacceptable to modify versioned releases.

According to the answer, it's best to restore the compatibility and release a new minor version. It could have saved people who got "caught between publishing and unpublishing" some confused looks at failed builds and half hours of googling and fixing missing dependency of a dependency of a dependency of a dependency.

I'm not here to blame you, it was not a big deal in the end, apologies accepted. I just wanted to point this out in case such unfortunate thing happens ever again.