Installing package from a branch with yarn.lock present installs old version of package · yarnpkg/yarn#4734

(20 comments) (36 reactions) (0 assignees)JavaScript (41,514 stars) (2,731 forks)batch import

cat-bughelp wantedhigh-prioritytriaged

Description

This is bug report and a follow-up to issue #2280.

Problem:

When installing from a git branch with a correct yarn.lock file present, yarn installs an old version of the package instead of the most recent commit (HEAD), as defined in yarn.lock.

This can lead to inconsistent install states when when using a yarn.lock file.

Steps to reproduce:

The following steps simulate a case where a package has been installed from the master branch of a GitHub repository, and what happens when a user tries to install a new commit to master using yarn.

Create a new repository with a single commit of a file version_1.0 and push it to GitHub (in this example askielboe/yarn-bug).
Create a package.json file with the following content:

{
  "name": "yarn-bug",
  "version": "1.0.0",
  "dependencies": {
    "yarn-bug": "askielboe/yarn-bug#master"
  }
}

Run yarn install at the location of package.json: yarn correctly installs the package with a single file node_modules/yarn-bug/version_1.0.
Create a new commit in yarn-bug adding a file version_2.0, and push the commit to GitHub.
Run yarn install again: yarn installs from cache without checking for new commits at the origin. This means that the yarn installation of yarn-bug will not include the HEAD commit with the new file version_2.0.
Delete node_modules and yarn.lock and run yarn install: With yarn.lock gone, yarn now correctly pulls the latest commit and generates a new yarn.lock file with the HEAD hash.
Delete node_modules (but keep yarn.lock) and run yarn install: yarn now installs the initial commit again, instead of the HEAD commit referenced in yarn.lock. Somehow yarn looks at its cache and picks a commit (by random?) to install instead of checking whether it is the HEAD, or the most recent pulled commit.

Notes & workarounds:

Running yarn upgrade after deleting node_modules will install the correct version of the package.
Clearing the yarn cache by running yarn cache clean yarn-bug and then yarn install will install the correct HEAD commit without the need to delete yarn.lock.
Even when using --frozen-lockfile yarn still installs an old commit (ignoring the correct hash in yarn.lock). This can lead to inconsistent state and critical issues in continuous integration, when requiring packages from a git branch.

The bug(s) can be reproduced using the following script: (replace askielboe/yarn-bug with a reference to your own test-repository). Please read through the script before running it, as it creates new directories and clears the yarn cache: https://gist.github.com/askielboe/0c0bc3fdf88193bb17fc4fef5d332ad1

This bug report has been created using yarn 1.2.1 and node 8.7.0 on macOS 10.12.6.

Contributor guide

Tech stack: javascriptnodejs
Domain: clitooling
Issue type: bug
Difficulty: 3
Estimated time: half day
Activity status: stale
Clarity: mostly clear
Prerequisites: basic understanding of yarnexperience with git dependenciesknowledge of yarn.lock mechanics
Newbie friendliness: 30
Research direction: Investigate the caching logic in yarn's git dependency resolution. Focus on how yarn resolves the commit hash when a yarn.lock is present. Look into the `resolved` field in yarn.lock and the cache lookup mechanism. The issue provides clear reproduction steps and notes about cache clearing, which should guide the investigation. Consider the behavior of `yarn install` vs `yarn upgrade` and the impact of ` frozen lockfile`.