I'm using Yarn#3.0.2 in my project.
I have patched a package (#pkg/pkg) with the command yarn patch #pkg/pkg and I am using it as a devDependency with the patch: protocol.
Now I need to make another patch to the same package - but when I run the same command I get Multiple candidate packages found [...].
It works when trying to target the original package (using yarn patch #pkg/pkg#x.x.x), but I can't seem to find a way to target the patched project.
Any skilled yarn developer out there?
(Possibly useful information: I cannot use the resolutions field for the patch since #pkg/pkg is a CLI which does not seem to work with this approach)
The solution was choose the patch suggested with the error and encapsule it in qoutes such as:
yarn patch "patch:..."
Related
I need to update old dependencies because of security reasons in a project, that uses Yarn and I would like to know the best way to do this. I have used yarn add package-name#latest and yarn upgrade package-name#latest with the same result. The old version package definition remains. Is that acceptable? Since I have to update the old version for security, I think the old version should be removed. Is there a command that updates a package to a specific version and removes the old package definition?
The situation you are describing should only arise if you also have transitive dependencies that come from other dependencies.
So you may have another package that depends on acorn in a lower version.
If this is not the case I would try:
yarn upgrade package-name --latest
To update all packages to the latest versions, I recommend:
yarn upgrade-interactive --latest
I've been trying to update a Create React App to use yarn 2 and plug and play (PNP). When I do use nodeLinker: node-modules in the .yarnrc.yml, I can successfully start the dev-server. Without it, I end up with
./src/App.scss (./.yarn/$$virtual/css-loader-virtual-fe3fa7be11/0/cache/css-loader-npm-3.4.2-300ee159b3-2.zip/node_modules/css-loader/dist/cjs.js??ref--6-oneOf-5-1!./.yarn/cache/postcss-loader-npm-3.0.0-f4ab99b685-2.zip/node_modules/postcss-loader/src??postcss!./.yarn/cache/resolve-url-loader-npm-3.1.1-cf1a268137-2.zip/node_modules/resolve-url-loader??ref--6-oneOf-5-3!./.yarn/unplugged/sass-loader-virtual-14ae4e1150/node_modules/sass-loader/dist/cjs.js??ref--6-oneOf-5-4!./src/App.scss)
Error: A package is trying to access a peer dependency that should be provided by its direct ancestor but isn't
Required package: node-sass (via "node-sass")
Required by: sass-loader#virtual:74ba539c0b6c6c8346ea151c91664bff0bef13782983a6f90ddf1a26160140360771dcf40d0863b46ff7add674bc2c42a37daea25f24f4ea96f7843786460ecd#npm:8.0.2 (via /Users/me/color-contrast-matrix/.yarn/unplugged/sass-loader-virtual-14ae4e1150/node_modules/sass-loader/dist/)
It looks like yarn 2 provides a way of overriding a packages dependencies. You have to provide the missing dependency, at least in this case.
From the docs current link:
Some packages may have been specified incorrectly with regard to their
dependencies - for example with one dependency being missing, causing
Yarn to refuse it the access. The packageExtensions fields offer a way
to extend the existing package definitions with additional
information. If you use it, consider sending a PR upstream and
contributing your extension to the plugin-compat database.
After installing node-sass and adding this config, compilation succeeded.
# .yarnrc.yml
packageExtensions:
'sass-loader#*':
optionalDependencies:
node-sass: '*'
Building on wegry's answer, a better way would be to fix up react-scripts, since that's where the missing peer dependency is.
#.yarnrc.yml
packageExtensions:
'react-scripts#*':
peerDependencies:
node-sass: ^4.0.0 || ^5.0.0' # Or sass: ^1.3.0'
I'm using versions that match the peerDependency of the version of sass-loader that is currently depended on by react-scripts. (I hope by the time the next version of react-scripts comes out, they'll have fixed this bug.)
What this is doing, is telling Yarn that react-scripts really should have peer-depended on sass (and also node-sass for that matter), so that sass-loader can use them.
sass-loader itself has defined its dependencies correctly.
I have been using npm for a personal project and just recently stumbled across yarn. Would there be any harm or "intended side effects" to switching to yarn's package manager in the same project where I had been using npm?
Although a few commenters here say its ok to mix both yarn and npm on the same project, after using yarn and npm and then yarn again, this is what yarn has to say about it:
warning package-lock.json found. Your project contains lock files generated by tools
other than Yarn. It is advised not to mix package managers in order to avoid resolution
inconsistencies caused by unsynchronized lock files. To clear this warning, remove
package-lock.json.
Since to me it is not any harm to using both them into one project.
I use npm and yarn (50/50) in dev environment.
But on ci/di i use only yarn because it is faster, and i reduce build minutes thanks yarn.
Also they both create different .lock file names.
Nobody told about the lock files.
Imagine you use yarn on dev environment, and yarn on your build/production servers. When you install a package using yarn, and your project works on your computer, you probably would want to keep it working on a production environment (your server).
That being sad, you would commit you yarn.lock file, that "saves" the exact versions of each package you have, when the project ran on your computer.
On your buid/production server you should call yarn install, but asking to keep all the same versions with --frozen-lockfile parameter. Some even say "yarn install --frozen-lockfile should be the default behavior", and I agree.
Then... another dev jump in the project you are working and install a package using npm (other than yarn). That new package will not be included in your yarn.lock file, but, a new package-json.lock file would be created, telling the exact packages versions it is using.
When that commit arrives on your build/production server, it will crash, fail, because that new package doesn't exist on yarn.lock file. Someone would need to pull that changes, call a yarn to install the dependences and update the lock file with the new package dependences, and push it again to the repo.
A quick point about using the lock file or not. If you call a 'yarn install' on your build/production server some weeks after the last install on your machine, the server would have many other new versions than your last "stable" version. It already happened to me many times.
I published recently the package-locks-checks, which help ensure you have not just one lock file but also locked each package version on your project.
There will be a point that one or both will no longer work and your project will be stuck at only using the existing lock file. Meaning, the issue probably will involve installation fails if you opt to reinstall without a lock file. And that also means failure to create a new lock file, so you are stuck with the existing one that you are trying to get rid off in the first place. We are actually encountering this issue in one of our projects. Because it is so big, no one tries to fix the issue and just rely on the existing lock file.
So, even if we say it's a rare case that it won't cause harm. Mixing npm and yarn should be avoided.
Here https://classic.yarnpkg.com/en/docs/migrating-from-npm/ we may find a confirmation that Yarn's resolution algorithm is compatible with NPM resolution algorithm.
Inside a npm project (with package.json) if you run yarn it will read your node_modules folder (using the resolution algorithm) and create a yarn.lock file with your project's locked dependency tree.
Based on that I assume that they are compatible inside the same project.
Update 30/04/2021
My original reply refers to yarn 1 (classic), although I've just created a React app with create-react-app tool and it creates the project's repository with package.json + yarn.lock by default. Again, another demonstration that it's fine (even with the warning mentioned by Dave Pile).
At the end of the day this is a matter of putting both together to work and checking yourself...
Plus you get a warning from yarn as Dave Pile said because we have to push *-lock.json files changes you have to consider using npm version >= 7 to make sure whenever you install packages by npm it will update your yarn-lock.json file too.
Because whenever you install the packages either by npm or yarn depends on what you have chosen for updating a dependency in the package.json (Using tilde ( ~ ) which gives you bug fix releases and caret ( ^ ) gives you backward-compatible new functionality) it will update you.lock file and since you have to push it might happen that you have different version of lock files.
I am just learning about yarn and npm.
I want to use a particular package that crashes my app. I found a project issue which looks like fix has been implemented and merged with master. A comment says npm package has not been updated yet.
I have added the package to my project:
yarn add react-widgets
I thought I could use yarn to add the package via git repository to get fixed version.
The package I want is
https://github.com/jquense/react-widgets
So I tried
yarn add https://github.com/jquense/react-widgets.git
I get error:
error Package "undefined#undefined" doesn't have a "name".
Firstly, is this error a problem with my use of yarn or a problem with react-widgets repository? I am assuming it should work to add it like this so please correct me if I am wrong.
Also, can I assume that if there is an updated npm package, that I will be able to update with yarn at that time?
I'm afraid it is impossible to do now. This git repo is actually several packages inside(main package is here) one repo and root package.json is not valid one - it doesn't have name description and this is fail reason. There is discussion about supporting this in yarn, but it hasn't been implemented yet(in npm too).
I'd made a package that include 2 components according to --component-plist file. on the plist file I've added the following flag to prevent downgrade :
BundleIsVersionChecked: Don't install bundle if newer version on disk? (bool)
when I perform downgrade scenario, I get the following message :
Sep 15 11:42:49 os-x-10 installd[284]: PackageKit: Skipping component \
"com.my.driverAE21E" (<current_version>) because the version \
<new_version> is already installed at <my_component>
This is expected, but unfortunately, the installation goes on, and the other component is being properly installed, and so does the preinstall and postintsall scripts - so I get a mixture of both versions.
Is there any way to enforce component version validation prior to any attempt to actually install them, and stop the installation process in case the validation wasn't pass.
UPDATE :
Another approach that can help me is to prevent the running of preinstall and postinstall scripts in case an attempt to downgrade is made.
I've seen reference to unanswered question about this issue here.
What you need to do is add version-check to your distribution.xml for product archive, and then perform whatever check you want in JavaScript code. This will allow you to prevent installation from starting as early as possible by returning false from the check function. Can't give you an example as I never did custom version check myself, but using my.target.receiptForIdentifier() and system.compareVersions() should get you going.
More info on the matter: https://developer.apple.com/reference/installerjs (follow "Distribution Definition XML Schema Reference" link there for distribution.xml description).