Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--force option doesn't upgrade and gives log message, "warning Lockfile has incorrect entry" #256

Open
nottoseethesun opened this issue Jun 30, 2022 · 2 comments
Open

--force option doesn't upgrade and gives log message, "warning Lockfile has incorrect entry" #256

nottoseethesun opened this issue Jun 30, 2022 · 2 comments

Comments

@nottoseethesun
Copy link

nottoseethesun commented Jun 30, 2022
edited
Loading

When I run yarn run yarn-audit-fix --force --audit-level high, and pug needs to be upgraded from major semver 2 to 3, I get this message from yarn-audit-fix:

Verifying package structure...
Preparing temp assets...
Patching yarn.lock with audit data...
invoke yarn audit --json --level high
Upgraded deps: pug@3.0.1
Installing deps update...
invoke yarn install --update-checksums
[1/5] 🔍  Validating package.json...
[2/5] 🔍  Resolving packages...
warning Lockfile has incorrect entry for "pug@^2.0.4". Ignoring it.
[3/5] 🚚  Fetching packages...
[4/5] 🔗  Linking dependencies...
[5/5] 🔨  Building fresh packages...
success Saved lockfile.
$ husky install
husky - Git hooks installed
Done
✨  Done in 6.97s.

-- and the entry in package.json remains ^2.0.4 when it needs to be ^3.0.1. Further yarn-audit-fix runs flag the same error, which causes e.g. Husky scripts to block pushes. We found that apparently, the version in the yarn.lock file is upgraded though.

Running yarn-audit-version 9.3.2.

% yarn --version
1.22.19
% npm --version
8.1.2
% node --version
v16.13.1
@unknownbreaker
Copy link

unknownbreaker commented Jun 30, 2022
edited
Loading

I actually had the same issue as @nottoseethesun but then I upgraded my yarn to 3.2.1.

Now running yarn-audit-fix --force --audit-level high upgrades the major semver in yarn.lock, but that new semver not reflected in the package.json file.

My package.json has "pug": "^2.0.4", which the --force flag successfully upgraded to 3.0.1 in yarn.lock. However, package.json still shows the same "pug": "^2.0.4".

yarn.lock

"pug@npm:^2.0.4":
  version: 3.0.1
  resolution: "pug@npm:3.0.1"
  dependencies:
    pug-code-gen: ^3.0.2
    pug-filters: ^4.0.0
    pug-lexer: ^5.0.0
    pug-linker: ^4.0.0
    pug-load: ^3.0.0
    pug-parser: ^6.0.0
    pug-runtime: ^3.0.0
    pug-strip-comments: ^2.0.0
  checksum: 3a98e5b072f53cfdcc40ed864cd926eb8fde59e96254b7ae6d27426fc47b896e8d3848741c6123bdd8742c3cfe3ce4c1989e91feb3589e5c48d5937779faa4e9
  languageName: node
  linkType: hard

This seems pretty confusing to me because I would've expected the --force option to have updated my package.json to reflect the 3.0.1 major semver update.

Leaving the package.json unchanged can mislead other developers working on the project into thinking the package is still on 2.x.x when it is actually on 3.x.x. The major semver update would likely have breaking changes in API that would be confusing to pinpoint if package.json still points to the previous major semver.

Shouldn't the package.json be updated, as well?

@antongolub
Copy link
Owner

antongolub commented Jul 1, 2022
edited
Loading

Shouldn't the package.json be updated, as well?

Seems reasonable. I'll add this to backlog.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nottoseethesun @antongolub @unknownbreaker