yarnpkg/yarn

Specifying hash in the package json is not working

Open

#3,109 opened on Apr 11, 2017

View on GitHub
 (5 comments) (0 reactions) (0 assignees)JavaScript (41,514 stars) (2,731 forks)batch import
cat-buggood first issuehelp wantedhigh-prioritytriaged

Description

Do you want to request a feature or report a bug?

Report a bug

What is the current behavior?

I have a stable branch in my project that gets updated every time the CI build passes. Eventually we want to be able to use that branch in our package.json, but I'm facing yarn issues with bad hash. See this other related issue: https://github.com/yarnpkg/yarn/issues/1916.

So to try and fix the hash issue we decided to specify the commit hash in the package.json itself, but yarn seems to be ignoring that entry.

If the current behavior is a bug, please provide the steps to reproduce.

Here is our package.json entry:

{
   ...
   "dependencies": {
      "grommet": "https://github.com/grommet/grommet/tarball/stable#85a1b40e4616fe54e4e13fdd9350128d1f0508e6",
   }
}

Here is the yarn.lock section:

"grommet@https://github.com/grommet/grommet/tarball/stable#85a1b40e4616fe54e4e13fdd9350128d1f0508e6":
  version "1.3.4"
  resolved "https://github.com/grommet/grommet/tarball/stable#2e18b1cba634cd1cfda9a3d601ae74fe77eacee1"

What is the expected behavior?

You can see that the yarn.lock resolved to latest hash in my stable branch, where I was expecting it to resolve to the hash that I've specified.

Please mention your node.js, yarn and operating system version.

Node: v7.3.0 NPM: 3.10.10 Yarn: 0.21.3

Contributor guide

Tech stack
javascriptnodejs
Domain
tooling
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
basic understanding of yarnpackage.json dependencies
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
30
Research direction
Investigate yarn's tarball resolution logic in the resolver module, specifically how the hash from package.json is parsed and compared to the resolved URL. Look at existing tests for similar dependencies. Since this is the 1.x line and frozen, consider if the issue has been fixed in berry (2.x).