Yarn installing things it shouldn't (caused complete web app breakage)

[ffxsam]

node v4.6.2 yarn v0.17.10

I started using yarn recently instead of npm, and I found out this morning that it rendered my web app to a breaking state.

So here's what's going on:

I've got a Meteor/React project. I have the intercom-client npm package installed, which depends on request > http-signature > sshpk > asn1. Then there's another package, meteor-node-stubs, which depends on crypto-browserify > browserify-sign > parse-asn1 > asn1.js (note the asn1 module name vs asn1.js).

For some reason (beyond my comprehension), npm has no problem with this. When I use npm, the only ASN module I see in node_modules is asn1. However, when I run yarn install, it decides to install asn1.js as well. This creates a conflict in the browser side, where require('asn1') actually pulls in asn1.js! On the server side, require('asn1') and require('asn1.js') properly returns two different modules.

Here's the full npm dependency list (before yarn install): https://gist.github.com/ffxsam/8e1dc6967dd372ab619ede575edd99a0

And this is the list after yarn install: https://gist.github.com/ffxsam/57cfb84f42b83eb9135cc7bcd5b8165c

[ffxsam]

And my package.json dependencies for anyone who wants to try to replicate this:

{
  "dependencies": {
    "aws-sdk": "^2.4.2",
    "bcrypt": "^0.8.7",
    "body-parser": "^1.15.2",
    "case": "^1.4.1",
    "change-case": "^3.0.0",
    "chart.js": "^2.4.0",
    "classnames": "^2.2.5",
    "cron-parser": "^2.2.0",
    "filesize": "^3.3.0",
    "formous": "^0.9.2",
    "immutable": "^3.8.1",
    "intercom-client": "^2.8.5",
    "invariant": "^2.2.1",
    "keycode": "^2.1.2",
    "lodash": "^4.13.1",
    "material-ui": "^0.16.0",
    "meteor-node-stubs": "^0.2.3",
    "meteor-react-prebind": "^1.0.2",
    "moment": "^2.13.0",
    "moment-timezone": "^0.5.10",
    "radium": "^0.18.1",
    "react": "^15.1.0",
    "react-addons-pure-render-mixin": "^15.1.0",
    "react-addons-shallow-compare": "^15.3.2",
    "react-addons-transition-group": "^15.3.2",
    "react-chartjs-2": "^1.5.1",
    "react-delay": "0.0.3",
    "react-dom": "^15.1.0",
    "react-intercom": "^1.0.11",
    "react-linkify": "^0.1.1",
    "react-markdown": "^2.3.0",
    "react-mixin": "^3.0.5",
    "react-motion": "^0.4.4",
    "react-mounter": "^1.2.0",
    "react-redux": "^4.4.5",
    "react-redux-form": "^1.0.9",
    "react-sticky": "^5.0.5",
    "react-tap-event-plugin": "^2.0.1",
    "redux": "^3.5.2",
    "redux-logger": "^2.6.1",
    "redux-thunk": "^2.1.0",
    "rollbar": "^0.6.2",
    "shallowequal": "^0.2.2",
    "stripe": "^4.9.1",
    "validator": "^6.0.0"
  },
  "devDependencies": {
    "babel-eslint": "^7.0.0",
    "babel-jest": "^17.0.0",
    "babel-polyfill": "^6.13.0",
    "babel-preset-es2015": "^6.9.0",
    "babel-preset-react": "^6.11.1",
    "babel-preset-stage-1": "^6.13.0",
    "babel-root-slash-import": "^1.1.0",
    "babel-runtime": "^6.11.6",
    "eslint": "^3.2.2",
    "eslint-plugin-flowtype": "^2.3.0",
    "eslint-plugin-react": "^6.0.0",
    "flow-bin": "^0.36.0",
    "idgen": "^2.0.2",
    "jest": "^17.0.0",
    "json-loader": "^0.5.4",
    "random-word-generator": "^0.9.9",
    "react-addons-perf": "^15.1.0",
    "react-addons-test-utils": "^15.1.0",
    "react-test-renderer": "^15.4.1"
  }
}

[ffxsam]

Looks like what's happening is that npm installs asn1.js only inside meteor-node-stubs/node_modules since no one else needs it. However, yarn is installing asn1.js on a global project level which causes a breaking conflict.

[SimenB]

It should flatten. This sounds more like a bug in your bundler, where it doesn't differentiate modules with a .js suffix. As you say, on the server it works, because Node's algorithm is correct

[ffxsam]

Ahh, then this might be either an issue with the Meteor bundler, or some kind of conflict between Meteor and yarn.

[zvictor]

it could be related to GetStream/stream-js#98