berry icon indicating copy to clipboard operation
berry copied to clipboard
verified publisher icon yarnpkg

[Bug?]: When using `yarn set resolution`, it will stop hardened mode from working

Open SBoudrias opened this issue 1 year ago • 4 comments

Self-service

  • [ ] I'd be willing to implement a fix

Describe the bug

Trying to update to Yarn v4 on Inquirer (PR in question), I ran into an issue with resolution of older dependencies transitive dependency failing with new typescript versions. To move forward, I had to force a resolution, so I setup this resolution: yarn set resolution type-fest@npm:^0.21.3 npm:^4.0.0

So far everything works as expected. Typescript now compiles properly, the faulty version is properly overridden.

The problem occurs later when running the installs step with the hardened mode on. Then it raises this resolution as invalid:

➤ YN0078: Invalid resolution type-fest@npm:^0.21.3 → npm:4.10.3

You can see this happening in this CI run.

To reproduce

See following PR updating to Yarn 4 https://github.com/SBoudrias/Inquirer.js/pull/1344

Environment

System:
    OS: macOS 14.3.1
    CPU: (10) arm64 Apple M1 Max
  Binaries:
    Node: 21.4.0 - /private/var/folders/dv/bb33m8ld4jdc0dx3wxscj4q00000gq/T/xfs-a3daf525/node
    Yarn: 4.1.0 - /private/var/folders/dv/bb33m8ld4jdc0dx3wxscj4q00000gq/T/xfs-a3daf525/yarn
    npm: 8.19.2 - ~/.volta/tools/image/npm/8.19.2/bin/npm

Additional context

No response

SBoudrias avatar Feb 25 '24 21:02 SBoudrias

I believe for this use case you need to add a resolutions entry in your package.json, so that Yarn knows that the "invalid" resolution is expected. Without it, it triggers the hardened mode check since Yarn doesn't know whether the resolution was intended or forged by a malicious actor.

I'll add a note to yarn set resolution mentioning that, and perhaps in the next major we should change its behaviour to update the resolutions field by default, rather than the raw lockfile.

arcanis avatar Feb 26 '24 07:02 arcanis

in the next major we should change its behaviour to update the resolutions field by default

Yeah, I think that is the behaviour I would expect. It'd be one less footgun 😄

SBoudrias avatar Feb 26 '24 14:02 SBoudrias

Did there used to be a -s option? This SA answer from 2022 says to use it.

Adding that would be a non-breaking change. Then it could be the default in the next major.

turadg avatar Feb 19 '25 14:02 turadg

Current yarn set resolution doesn't have a -s option which is pity. And I'd expect that yarn set resolution x '^x.y.z' should just work like resolutions in package.json.

JounQin avatar Apr 05 '25 11:04 JounQin