yarn icon indicating copy to clipboard operation
yarn copied to clipboard

Published 20 hours ago verified publisher icon yarnpkg

yarn upgrade package will upgrade unrelated packages in the lockfile

Open vampolo opened this issue 7 years ago • 8 comments

Do you want to request a feature or report a bug? Bug

What is the current behavior? Updating a single package will result in unrelated upgrade of other packages in the yarn.lock file The documentation references yarn upgrade to be the command to update a single dependency

If the current behavior is a bug, please provide the steps to reproduce. In a project with other dependencies run

yarn upgrade PACKAGE

Substitute package with a module of your choice. See yarn.lock being generated, with unrelated dependencies being upgraded as well.

What is the expected behavior? yarn.lock and package.json should change version of the package that is being upgraded and direct dependencies, if any.

Please mention your node.js, yarn and operating system version. yarn v0.21.3 nodejs 7.5 mac os x sierra

vampolo avatar Apr 13 '17 21:04 vampolo

Any updates on this? We noticed this as well.

sudowork avatar Aug 18 '17 22:08 sudowork

Yeah, isn't that annoying? I think #598 is supposed to have fixed that, but I'm stuck on yarn 1.3.2 (thanks to debian packagers apparently) which apparently doesn't have the fix yet. See also #1034.

TylerRick avatar Feb 06 '18 01:02 TylerRick

I'm seeing that as well. Workaround we found was to specify the version, so yarn upgrade [email protected] will only bump the specified package. Careful with package.json if you have fuzzy matching though, as it will remove the fuzzy character and hardcode the version. UDATE: it's actually only updating the packages' dependencies, which is expected, so it's not really an issue for us in most cases. Still, there are some applications for only updating the package itself and not the dependencies for us, so I'll still be using the upgrade with version when necessary.

olivetreee avatar Jul 17 '18 22:07 olivetreee

The workaround I'm following is to:

  • find the module definition I want to update in the yarn.lock
  • delete it's definition
  • run a yarn install

Yarn then seems to find that missing definition in the lock file and fill it with the best candidate with respect to the requirements of all other installed packages & the version in the package.json. This seems to also result less duplicated for that package, while with yarn add/yarn upgrade its often to end up with more than one versions of a module when some of your dependencies also depend on that.

thgreasi avatar Jul 25 '18 09:07 thgreasi

I usually end up running git add --patch yarn.lock and only staging the upgrades I asked for. This is unfortunate because I'd love to be able to script the upgrade of our internal packages without potentially causing breakage from unrelated and unwanted upgrades.

Is there any progress being made on this issue?

scottkidder avatar Jan 16 '19 15:01 scottkidder

I've now taken @thgreasi solution and automated it with sed.

sed -i '/<your-package-name>@/,/^$/d' yarn.lock && yarn && git add yarn.lock && git commit -m 'chore(deps): bump <your-package-name>'

scottkidder avatar Jul 16 '19 12:07 scottkidder

Made a minimal repro to investigate this later https://github.com/cristianl/repro-yarn-3137

cristianl avatar Feb 04 '20 21:02 cristianl

This issue also happened to my locally referenced package. yarn upgrade <package> somehow upgrades unrelated non-local packages that are not even used by my local package. I managed to fix this by doing

yarn remove <package> && yarn add <package>

Not sure how it fares against remote packages though.

thomasttvo avatar Jan 09 '24 23:01 thomasttvo