yarn icon indicating copy to clipboard operation
yarn copied to clipboard

Published 20 hours ago verified publisher icon yarnpkg

`--no-optional` or `--ignore-optional` does not impact transient dependencies.

Open krotscheck opened this issue 6 years ago • 4 comments

Do you want to request a feature or report a bug? A bug.

What is the current behavior? Given a package that has optional dependencies (chokidar), attempt to add it to your project. Yarn automatically installs the optional dependency fsevents, which (at this time) has a dependency with an nsp security violation (hoek).

The lock entry for chokidar is below:

chokidar@~2.0.2:
  version "2.0.2"
  resolved "https://registry.yarnpkg.com/chokidar/-/chokidar-2.0.2.tgz#4dc65139eeb2714977735b6a35d06e97b494dfd7"
  dependencies:
    anymatch "^2.0.0"
    async-each "^1.0.0"
    braces "^2.3.0"
    glob-parent "^3.1.0"
    inherits "^2.0.1"
    is-binary-path "^1.0.0"
    is-glob "^4.0.0"
    normalize-path "^2.1.1"
    path-is-absolute "^1.0.0"
    readdirp "^2.0.0"
    upath "^1.0.0"
  optionalDependencies:
    fsevents "^1.0.0"

If the current behavior is a bug, please provide the steps to reproduce.

mkdir test
cd test
npm init -y
yarn add --ignore-optional chokidar # or yarn add chokidar --no-optional
more yarn.lock | grep fsevents

What is the expected behavior? Yarn should not install optional dependencies.

Please mention your node.js, yarn and operating system version. OSX Sierra, Node Carbon-LTS (8.9.x), yarn 1.3.2

krotscheck avatar Feb 15 '18 20:02 krotscheck

Here's a link to the NSP Node advisory. https://nodesecurity.io/advisories/566

krotscheck avatar Feb 15 '18 20:02 krotscheck

This problem still exists in yarn 1.6.0, node 9.11.1 (on OSX 10.12.6).

Numerous issues have referred to variations of this problem (optional being erroneously required, or required being erroneously optional, etc.).

!5059 fixed optional dependency handling to ensure required dependencies are not erroneously marked as optional (fixing several issues). #2660 (closed, merged into #2666, which itself is closed by !3976) #4665 (open) is more or less a dupe.

Another reproducer:

mkdir yarn-test && cd yard-test
yarn init -y
yard add --ignore-optional [email protected]

cp -a yarn-test yarn-test-2 && cd yarn-test-2
rm -rf node_modules
yard install --ignore-optional

Yarn will unnecessarily install react-hot-loader, which is an optional dependency.

(It will then continue on to warn about an unmet peer dependency for the transient dependency, redbox-react.)

richardkmichael avatar Apr 14 '18 18:04 richardkmichael

Had this problem, going to use --ignore-platform and hope for the best.

alex-dixon avatar Jul 23 '19 17:07 alex-dixon

I'm still seeing the same issue in 2020. I'm using Yarn 1.22.4 and yarn install --ignore-optional will install optional dependencies from 3rd party libraries.

leethree avatar Jul 24 '20 13:07 leethree