search

yarnpkg / yarn

The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
https://classic.yarnpkg.com
Other
41.39k stars 2.73k forks source link

[bug] incorrect jsbn dependency version #5315

Open dlebedynskyi opened 6 years ago

dlebedynskyi commented 6 years ago

This is a bug. 

yarn: 1.3.2
node: 8.9.1
os:  os x 10.3.2

What is the current behavior? When using package that depends on jsbn( 1.1.0) together with nodemon (1.14.11) jsbn package dep is getting override to jsbn 0.1.1

Steps to reproduce

  1. create a package with jsbn dependency https://gist.github.com/dlebedynskyi/62bb7408664bc053bd18b5c11ef2f9d1

  2. create another package that will use one above https://gist.github.com/dlebedynskyi/8528b304eb04f873a872a7b1b05682bd

you can check node_modules/jsbn/package.json

"version": "1.1.0"

  1. now add nodemon (1.14.11 ) to sample-nodemon https://gist.github.com/dlebedynskyi/5593f73046ce114850c9a19f2281b0ae

Check node_modules/jsbn/package.json

"version": "0.1.1"

as you can see nodmon dep (chokidar) installs jsbn version 0.1.1

https://github.com/remy/nodemon/issues/1235#issuecomment-360996991

What is the expected behavior?

jsbn deps stays 1.1.0

kerryrusso-nuix commented 5 years ago

I think my issue is related to this. 

yarn: 1.7.0
node: 8.9.1
os: OSX 10.12.6

What is the current behavior? I have the dependency react-router 4.3.0 which depends on path-to-regexp 1.7.0. I also depend on express 4.16.3 which depends on path-to-regexp 0.1.7. node_modules/path-to-regexp is resolved to 0.1.7.

What is the expected behavior? node_modules/path-to-regexp is resolved to 1.7.0.