yarn
yarn copied to clipboard
`--no-optional` or `--ignore-optional` does not impact transient dependencies.
Do you want to request a feature or report a bug? A bug.
What is the current behavior?
Given a package that has optional dependencies (chokidar
), attempt to add it to your project. Yarn automatically installs the optional dependency fsevents
, which (at this time) has a dependency with an nsp security violation (hoek).
The lock entry for chokidar is below:
chokidar@~2.0.2:
version "2.0.2"
resolved "https://registry.yarnpkg.com/chokidar/-/chokidar-2.0.2.tgz#4dc65139eeb2714977735b6a35d06e97b494dfd7"
dependencies:
anymatch "^2.0.0"
async-each "^1.0.0"
braces "^2.3.0"
glob-parent "^3.1.0"
inherits "^2.0.1"
is-binary-path "^1.0.0"
is-glob "^4.0.0"
normalize-path "^2.1.1"
path-is-absolute "^1.0.0"
readdirp "^2.0.0"
upath "^1.0.0"
optionalDependencies:
fsevents "^1.0.0"
If the current behavior is a bug, please provide the steps to reproduce.
mkdir test
cd test
npm init -y
yarn add --ignore-optional chokidar # or yarn add chokidar --no-optional
more yarn.lock | grep fsevents
What is the expected behavior? Yarn should not install optional dependencies.
Please mention your node.js, yarn and operating system version. OSX Sierra, Node Carbon-LTS (8.9.x), yarn 1.3.2
Here's a link to the NSP Node advisory. https://nodesecurity.io/advisories/566
This problem still exists in yarn 1.6.0
, node 9.11.1
(on OSX 10.12.6
).
Numerous issues have referred to variations of this problem (optional being erroneously required, or required being erroneously optional, etc.).
!5059 fixed optional dependency handling to ensure required dependencies are not erroneously marked as optional (fixing several issues). #2660 (closed, merged into #2666, which itself is closed by !3976) #4665 (open) is more or less a dupe.
Another reproducer:
mkdir yarn-test && cd yard-test
yarn init -y
yard add --ignore-optional [email protected]
cp -a yarn-test yarn-test-2 && cd yarn-test-2
rm -rf node_modules
yard install --ignore-optional
Yarn will unnecessarily install react-hot-loader
, which is an optional dependency.
(It will then continue on to warn about an unmet peer dependency for the transient dependency, redbox-react
.)
Had this problem, going to use --ignore-platform
and hope for the best.
I'm still seeing the same issue in 2020. I'm using Yarn 1.22.4 and yarn install --ignore-optional
will install optional dependencies from 3rd party libraries.