yarnpkg/yarn

Inconsistent quoting of github dependency names leads to unnecessary lockfile changes

Open

#4,953 opened on Nov 18, 2017

View on GitHub
 (5 comments) (10 reactions) (0 assignees)JavaScript (41,514 stars) (2,731 forks)batch import
cat-bugfixed-in-modernhelp wantedtriaged

Description

Do you want to request a feature or report a bug?

This seems like a yarn bug.

What is the current behavior?

We've got a certain transitive dependency that is always resolved correctly, but the name of this dependency is sometimes quoted depending on which yarn command was executed last.

If I run yarn install in our project, yarn.lock always ends up containing this (dependency name not quoted):

axios@contentful/axios#fix/https-via-http-proxy:
  version "0.17.1"
  resolved "https://codeload.github.com/contentful/axios/tar.gz/4b06f4a63db3ac16c99f7c61b584ef0e6d11f1af"
  dependencies:
    follow-redirects "^1.2.5"
    is-buffer "^1.1.5"

If I run yarn upgrade in our project, yarn.lock always ends up containing this (dependency name quoted):

"axios@github:contentful/axios#fix/https-via-http-proxy":
  version "0.17.1"
  resolved "https://codeload.github.com/contentful/axios/tar.gz/4b06f4a63db3ac16c99f7c61b584ef0e6d11f1af"
  dependencies:
    follow-redirects "^1.2.5"
    is-buffer "^1.1.5"

So, even if there are no actual version changes, install and upgrade can cause unnecessary lockfile changes that the other command reverts later. Removing node_modules doesn't help.

If the current behavior is a bug, please provide the steps to reproduce.

This is reproducible with a barebones package.json with these two dependencies:

"dependencies": {
  "contentful": "~4.6.2",
  "left-pad": "stevemao/left-pad"
}

Now, running yarn upgrade quotes the axios transitive dependency, and yarn install reverts the quoting. This seems to have something to do with multiple github dependencies, because if left-pad is removed, both yarn commands use quotes in the axios dependency name. Note that contentful doesn't use left-pad even transitively, so just the existence of another github dependency is enough to trigger this behaviour.

What is the expected behavior?

yarn.lock uses consistently either the quoted or non-quoted naming for axios, so install/upgrade doesn't do unnecessary quoting modifications to the lock file.

Please mention your node.js, yarn and operating system version.

$ node --version
v8.9.1
$ yarn --version
1.3.2
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=17.04
DISTRIB_CODENAME=zesty
DISTRIB_DESCRIPTION="Ubuntu 17.04"

Contributor guide

Tech stack
javascriptnodejsshell
Domain
build systemtooling
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic knowledge of Yarn package managerFamiliarity with lockfile format
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Start by examining the Yarn lockfile serialization logic in the source code, likely in files like `src/lockfile/stringify.js` or `src/resolver.js`. The bug is about inconsistent quoting of GitHub dependency names. Investigate how the resolver sets the 'name' field for GitHub dependencies and how the stringifier decides whether to quote it. Look at the reproduction steps given in the issue and write a test that reproduces the behavior. The fix should ensure that the quoting is consistent regardless of whether the command is `install` or `upgrade`, possibly by always quoting or never quoting GitHub dependency names. Consider the impact on other dependency patterns. Check the existing comments for any additional insights.