yarn ignores package-lock.json

[Spongman]

https://github.com/processing/p5.js

there's no yarn.lock file in this project. yarn install ignores the package-lock.json file there, and installs different versions of packages than npm does, resulting in build failures.

yarn import doens't help:

yarn import v1.7.0
info found npm package-lock.json, converting to yarn.lock
error Failed to import from package-lock.json, source file(s) corrupted
info Visit https://yarnpkg.com/en/docs/cli/import for documentation about this command.

if there's a package-lock.json file and no yarn.lock file, IMO yarn should use the npm file instead.

[tobske]

Duplicate of #3614.

[Spongman]

Thant issue doesn't cover the import failure.

[imsnif]

Hey @Spongman - thanks for reporting this. It looks to me like this error is actually correct, the package-lock.json is indeed corrupt in this package.
It seems that there are a few packages that are in this library's package.json but are not in package-lock.json. An example I found is the mocha-chrome package, but I think there are a few others.

To fix this, what you can do is:

1. npm install - this will update your package-lock.json with the missing packages.
2. yarn import - will now import the fixed file successfully.

This worked for me locally. If it doesn't work for you, please reopen this issue (or open another one) and I'd be happy to take another look (feel free to mention me).

[Spongman]

please reopen this issue

you do know that's impossible, right?

[imsnif]

Hey @Spongman, I'll address your comment from the other issue here in order for it not to stray off topic.

npm can use that package-lock.json file just fine. yarn needs to be more resilient.

npm uses package-lock.json, which is its own lockfile, in order to install dependencies. If a dependency is not in the file (but is in package.json), it installs the latest semver matching version. Yarn does the same thing with its own lockfile.
Yarn does not do the same thing when importing from npm's lockfile in this case. If we're playing the comparing game, there is no equivalent npm behaviour - because npm does not (yet) have this feature (to the best of my knowledge at least).

I think this behaviour is desired. It stems from a situation in which some of your dependencies are not locked and it has the potential of creating chaos (eg. "why when I use npm these deps are not locked and when I use yarn with a lockfile imported from npm they are?") - rather, you get a conceise error explaining what the problem is. If you have suggestions on what it could do otherwise in this case that do not have said chaotic potential and would make it clearer to the user (a better error message perhaps?) I'd be happy to hear.

[Spongman]

right now it's just plain broken. my suggestion is to make it not that.

[Abourass]

@imsnif using NPM install then yarn import solved my corrupted import issue. Thank you

[forgedhallpass]

I have the same issue:

$ npm install
added X packages, removed Y packages, changed Z packages, and audited W packages in 4s

$ yarn import                                  
yarn import v1.22.19
info found npm package-lock.json, converting to yarn.lock
error Failed to import from package-lock.json, source file(s) corrupted
info Visit https://yarnpkg.com/en/docs/cli/import for documentation about this command.

The package-lock.json is valid (cat package-lock.json | jq empty).
NPM version: 9.5.0
Node version: 19.7.0

[aslamanver]

This will work.

npm install
rm package-lock.json
yarn import