yarn-audit-fix icon indicating copy to clipboard operation
yarn-audit-fix copied to clipboard

Published 20 hours ago verified publisher icon antongolub

`--force` option doesn't upgrade and gives log message, "warning Lockfile has incorrect entry"

Open nottoseethesun opened this issue 2 years ago • 2 comments

When I run yarn run yarn-audit-fix --force --audit-level high, and pug needs to be upgraded from major semver 2 to 3, I get this message from yarn-audit-fix:

Verifying package structure...
Preparing temp assets...
Patching yarn.lock with audit data...
invoke yarn audit --json --level high
Upgraded deps: [email protected]
Installing deps update...
invoke yarn install --update-checksums
[1/5] 🔍  Validating package.json...
[2/5] 🔍  Resolving packages...
warning Lockfile has incorrect entry for "pug@^2.0.4". Ignoring it.
[3/5] 🚚  Fetching packages...
[4/5] 🔗  Linking dependencies...
[5/5] 🔨  Building fresh packages...
success Saved lockfile.
$ husky install
husky - Git hooks installed
Done
✨  Done in 6.97s.

-- and the entry in package.json remains ^2.0.4 when it needs to be ^3.0.1. Further yarn-audit-fix runs flag the same error, which causes e.g. Husky scripts to block pushes. We found that apparently, the version in the yarn.lock file is upgraded though.

Running yarn-audit-version 9.3.2.

% yarn --version
1.22.19
% npm --version
8.1.2
% node --version
v16.13.1

nottoseethesun avatar Jun 30 '22 21:06 nottoseethesun

I actually had the same issue as @nottoseethesun but then I upgraded my yarn to 3.2.1.

Now running yarn-audit-fix --force --audit-level high upgrades the major semver in yarn.lock, but that new semver not reflected in the package.json file.

My package.json has "pug": "^2.0.4", which the --force flag successfully upgraded to 3.0.1 in yarn.lock. However, package.json still shows the same "pug": "^2.0.4".

yarn.lock

"pug@npm:^2.0.4":
  version: 3.0.1
  resolution: "pug@npm:3.0.1"
  dependencies:
    pug-code-gen: ^3.0.2
    pug-filters: ^4.0.0
    pug-lexer: ^5.0.0
    pug-linker: ^4.0.0
    pug-load: ^3.0.0
    pug-parser: ^6.0.0
    pug-runtime: ^3.0.0
    pug-strip-comments: ^2.0.0
  checksum: 3a98e5b072f53cfdcc40ed864cd926eb8fde59e96254b7ae6d27426fc47b896e8d3848741c6123bdd8742c3cfe3ce4c1989e91feb3589e5c48d5937779faa4e9
  languageName: node
  linkType: hard

This seems pretty confusing to me because I would've expected the --force option to have updated my package.json to reflect the 3.0.1 major semver update.

Leaving the package.json unchanged can mislead other developers working on the project into thinking the package is still on 2.x.x when it is actually on 3.x.x. The major semver update would likely have breaking changes in API that would be confusing to pinpoint if package.json still points to the previous major semver.

Shouldn't the package.json be updated, as well?

unknownbreaker avatar Jun 30 '22 21:06 unknownbreaker

Shouldn't the package.json be updated, as well?

Seems reasonable. I'll add this to backlog.

antongolub avatar Jul 01 '22 12:07 antongolub