search

yarnpkg / yarn

The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
https://classic.yarnpkg.com
Other
41.4k stars 2.72k forks source link

install --frozen-lockfile --force behaves like --pure-lockfile #5215

Open torinthiel opened 6 years ago

torinthiel commented 6 years ago

Do you want to request a feature or report a bug? Bug

What is the current behavior? Yarn install incorrectly behaves when both --frozen-lockfile and --force are present.

If the current behavior is a bug, please provide the steps to reproduce.

  1. Clone https://gist.github.com/1c31682a46ae4ef33f544377003075f7.git
  2. Examine package.json and yarn.lock in this repository. Note that while yarn.lock specifies the dependency (lodash used as an example, but the exact package is not important) at one version, package.json has the dependency version updated.
  3. Run yarn install --frozen-lockfile. Note that it bails out with an error that lockfile should be updated.
  4. Run yarn install --frozen-lockfile --force. Note that the command succeeds. The version installed in node_modules is different than lockfile specifies, but lockfile is not updated. This behaviour is identical as if yarn install --pure-lockfile was run at this point.
  5. Finally run yarn install and confirm that lockfile is indeed updated.

What is the expected behavior? https://yarnpkg.com/en/docs/cli/install says that --frozen-lockfile fails if an update to lockfile is needed. Description of --force does not involve lockfile, only refetching packages. Description of neither --frozen-lockfile nor --force mentions any exception nor possible interactions between those two.Therefore I'd expect yarn install --force --frozen-lockfile to bail out if lockfile is outdated.

Please mention your node.js, yarn and operating system version.

$ node -v 
v8.9.4
$ yarn -v
1.3.2
rzontar commented 4 years ago

We run into the same issue on our CI builds, where both --force and --frozen-lockfile parameters are present. 

yarn -v
1.22.4