yarn fails to install packages with github tarball dependencies · yarnpkg/yarn#3243

(3 comments) (0 reactions) (0 assignees)JavaScript (41,514 stars) (2,731 forks)batch import

cat-featuregood first issuehelp wantedtriaged

Description

Bug

What is the current behavior?

I checked in a patched node package which has a patched dependency node package. The dependency tree look like this:

myproject:
  dependencies:
    keycloak-connect: https://github.com/bertramn/keycloak-nodejs-connect/tarball/3.0.x"
      dependencies:
        keycloak-auth-utils: https://github.com/bertramn/keycloak-nodejs-auth-utils/tarball/3.0.x"

Why I would do such thing you might ask? Well ... there is no way in yarn to force version/location override of dependencies of a dependency. I tried a lot of things including the dependencies override in the package.json file without any luck. Something like that can easily be done in npm shrinwrap, just drop in a npm-shirnwrap.json file and we are good to go:

{
  "dependencies": {
    "keycloak-connect": {
      "version": "3.0.0",
      "from": "keycloak-connect@3.0.0",
      "dependencies": {
        "keycloak-auth-utils": {
          "version": "3.0.0",
          "from": "https://github.com/bertramn/keycloak-nodejs-auth-utils/tarball/3.0.x"
        }
      }
    }
  }
}

So in absense of some simmilar capability in yarn, this is the dirty hack that should work.

If the current behavior is a bug, please provide the steps to reproduce.

Yarn fails with the below error message, despite there being a package.json in the dependency package and the dependency of the dependency package.

error Couldn't find a package.json file in "C:\\Users\\fred\\workspaces\\yarn-fail\\node_modules\\keycloak-connect\\node_modules\\keycloak-auth-utils"

Example package.json to demonstrate error:

{
  "name": "yarn-fail",
  "version": "1.0.0",
  "description": "Example package from github tarball with a nested dependency from github tarball",
  "author": "Niels Bertram <nielsbne@gmail.com>",
  "license": "Apache-2.0",
  "dependencies": {
    "keycloak-connect": "https://github.com/bertramn/keycloak-nodejs-connect/tarball/3.0.x"
  }
}

Running this simple example will result in following error:

C:\Users\fred\workspaces\yarn-fail>yarn install
yarn install v0.22.0
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
error Couldn't find a package.json file in "C:\\Users\\fred\\workspaces\\yarn-fail\\node_modules\\keycloak-connect\\node_modules\\keycloak-auth-utils"
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

What is the expected behavior?

Yarn installs the package and its dependencies as per package.json declaration.

Please mention your node.js, yarn and operating system version.

windows 7 x64 node v6.10.1 yarn 0.22.0

Contributor guide

Tech stack: javascriptnodejs
Domain: backendtooling
Issue type: bug
Difficulty: 3
Estimated time: 1-2 days
Activity status: stale
Clarity: clear
Prerequisites: basic knowledge of Node.jsunderstanding of package.jsonfamiliarity with Yarn
Newbie friendliness: 40
Research direction: The bug occurs when installing packages from GitHub tarball URLs that have nested tarball dependencies. The error indicates that Yarn cannot find a package.json in the nested node modules folder. Look into Yarn's package resolution and fetching code, specifically how it handles tarball dependencies and their nested dependencies. Check if the issue is related to the resolver not properly extracting or caching the nested tarball's package.json. The issue is from 2017 and Yarn's 1.x line has been frozen; consider if this is still relevant in Berry (Yarn 2+).